Identification, authentication, authorization and accounting (AAA)

It’s important to understand the differences between identification, authentication, and authorization. Although these concepts are similar and are essential to all security mechanisms, they’re distinct and must not be confused.

Identification and authentication are commonly used as a two-step process, but they’re distinct activities. Identification is the assertion of an identity. This needs to occur only once per authentication or access process. Any one of the common authentication factors can be employed for identification. Once identification has been performed, the authentication process must take place. Authentication is the act of verifying or proving the claimed identity. The issue is both checking that such an identity exists in the known accounts of the secured environment and ensuring that the human claiming the identity is the correct, valid, and authorized human to use that specific identity.

A username is the most common form of identification. It’s any name used by a subject in order to be recognized as a valid user of a system. Some usernames are derived from a person’s actual name, some are assigned, and some are chosen by the subject. Using a consistent username across multiple systems can help establish a consistent reputation across those platforms. However, it’s extremely important to keep all authentication factors unique between locations, even when duplicating a username.

Authentication can take many forms, most commonly of one-, two-, or multifactor configurations. The more unique factors used in an authentication process, the more resilient and reliable the authentication itself becomes. If all the proffered authentication factors are valid and correct for the claimed identity, it’s then assumed that the accessing person is who they claim to be. Then the permission- and action-restriction mechanisms of authorization take over to control the activities of the user from that point forward.

Identity proofing—that is, authentication—typically takes the form of one or more of the following authentication factors:

• Something you know (such as a password, code, PIN, combination, or secret phrase)
• Something you have (such as a smartcard, token device, or key)
• Something you are (such as a fingerprint, a retina scan, or voice recognition; often referred to as biometrics, discussed later in this chapter)
• Somewhere you are (such as a physical or logical location); this can be seen as a subset of something you know.
• Something you do (such as your typing rhythm, a secret handshake, or a private knock). This can be seen as a subset of something you know.

The authentication factor of something you know is also known as a Type 1 factor, something you have is also known as a Type 2 factor, and something you are is also known as a Type 3 factor. The factors of somewhere you are and something you do are not given Type labels.

When only one authentication factor is used, this is known as single-factor authentication (or, rarely, one-factor authentication).

Authorization is the mechanism that controls what a subject can and can’t do, access, use, or view. Authorization is commonly called access control or access restriction. Most systems operate from a default authorization stance of deny by default or implicit deny. Then all needed access is granted by exception to individual subjects or to groups of subjects.

Once a subject is authenticated, its access must be authorized. The process of authorization ensures that the requested activity or object access is possible, given the rights and privileges assigned to the authenticated identity (which we refer to as the subject from this point forward). Authorization indicates who is trusted to perform specific operations. In most cases, the system evaluates an access-control matrix that compares the subject, the object, and the intended activity. If the specific action is allowed, the subject is authorized; if it’s disallowed, the subject isn’t authorized.

Keep in mind that just because a subject has been identified and authenticated, that doesn’t automatically mean it has been authorized. It’s possible for a subject to log on to a network (in other words, be identified and authenticated) and yet be blocked from accessing a file or printing to a printer (by not being authorized to perform such activities). Most network users are authorized to perform only a limited number of activities on a specific collection of resources. Identification and authentication are “all-or-nothing” aspects of access control. Authorization occupies a wide range of variations between all and nothing for each individual subject or object in the environment. Examples would include a user who can read a file but not delete it, or print a document but not alter the print queue, or log on to a system but not be allowed to access any resources.

Multifactor authentication

Multifactor authentication is the requirement that a user must provide two or more authentication factors in order to prove their identity. There are three generally recognized categories of authentication factors.

When two different authentication factors are used, the strategy is known as two-factor authentication (see Figure 4.1). If two or more authentication factors are used but some of them are of the same type, it is known as strong authentication. Using different factors (whether two or three) is always a more secure solution than any number of factors of the same authentication type, because with two or more different factors, two or more different types of attacks must take place to capture the authentication factor. With strong authentication, even if 10 passwords are required, only a single type of password-stealing attack needs to be waged to break through the authentication security.

Authentication factors are the concepts used to verify the identity of a subject.

Federation

Federation or federated identity is a means of linking a subject’s accounts from several sites, services, or entities in a single account. It’s a means to accomplish single sign-on. Federated solutions often implement trans-site authentication using SAML (see the later section “SAML”).

Federation creates authentication trusts between systems in order to facilitate single sign-on benefits. Federation trusts can be one-way or two-way and can be transitive or nontransitive. In a one-way trust, as when system A is trusted by system B, users from A can access resources in both A and B systems, but users from B can only access resources in B. In a two-way trust, such as between system A and system B, users from either side can access resources on both sides. If three systems are trust-linked using two-way nontransitive trusts, such as A links to B which links to C, then A resources are accessible by users from A and B, B resources are accessible by users from A, B, and C, and C resources are accessible by users from B and C. If three systems are trust-linked using two-way transitive trusts, then all users from all three systems can access resources from all three systems.

Single sign-on

Single sign-on (SSO) means that once a user (or other subject) is authenticated into the realm, they don’t need to reauthenticate to access resources on any realm entity. (Realm is another term for domain or network.) This allows users to access all the resources, data, applications, and servers they need to perform their work tasks with a single authentication procedure. SSO eliminates the need for users to manage multiple usernames and passwords, because only a single set of logon credentials is required. Some examples of single sign-on include Kerberos, SESAME, NetSP, KryptoKnight, directory services, thin clients, and scripted access. Kerberos is one of the SSO solution options you should know about for the Security+ exam; it is discussed in the later section “Kerberos.”

Transitive trust

Transitive trust or transitive authentication is a security concern when a block can be bypassed using a third party. A transitive trust is a linked relationship between entities (such as systems, networks, or organizations) where trust from one endpoint crosses over or through middle entities to reach the farthest linked endpoint. For example, if four systems are transitive trust linked, such as A-B-C-D, then entities in A can access resources in B, C, and D thanks to the nature of a transitive trust. It can be thought of as a shared trust.

A real-world example of transitive trust occurs when you order a pizza. The cook makes the pizza and passes it on to the assistant, who packages the pizza in a box. The assistant then hands the pizza to the delivery person, the delivery person brings it to your location to hand it to your roommate, and then your roommate brings the pizza into the kitchen, where you grab a slice to eat. Since you trust each link in the chain, you are experiencing transitive trust.

Keep in mind that transitive trust can be both a beneficial feature of linked systems as well as a source of risk or compromise. If the cook placed pineapple, mushrooms, or anchovies on the pizza that you did not want or order, then the trust is broken.

Attackers often seek out transitive trust situations in order to bypass defenses and blockades against a direct approach. For example, the company firewall prevents the attacker from launching a direct attack against the internal database server. The attacker instead targets a worker who uses social networks. After friending the target, the attacker sends the worker a link that leads to a malware infector. If the worker clicks on the link, their system may become infected by remote-control malware. Then, when the worker takes the compromised system back into the office, it provides the attacker with an access pathway to attack the internal database. Thus, the transitive trust of attacker through social network to worker to company network allowed a security breach to take place.

Exam Essentials

Understand identification. Identification is the act of claiming an identity using just one authentication factor.

Define authentication. Authentication is the act of proving a claimed identity using one or more authentication factors.

Understand multifactor authentication. Multifactor authentication is the requirement that users must provide two or more authentication factors in order to prove their identity.

Know about multifactor authentication. Multifactor authentication or strong authentication occurs when two or more authentication factors are used but some of them are of the same type.

Understand two-factor authentication. Two-factor authentication occurs when two different authentication factors are used.

Comprehend federation. Federation or federated identity is a means of linking a subject’s accounts from several sites, services, or entities in a single account.

Understand single sign-on. Single sign-on means that once a user (or other subject) is authenticated into a realm, they need not reauthenticate to access resources on any realm entity.

Know about transitive trust. Transitive trust or transitive authentication is a security concern when a block can be bypassed using a third party. A transitive trust is a linked relationship between entities where trust from one endpoint crosses over or through middle entities to reach the farthest linked endpoint.

LDAP

Please see the “LDAPS” section in Chapter 2, “Technologies and Tools,” for an introduction to this technology.

LDAP is usually present by default in every private network because it is the primary foundation of network directory services, such as Active Directory. LDAP is used to grant access to information about available resources in the network. The ability to view or search network resources can be limited through the use of authorization restrictions.

Kerberos

Early authentication transmission mechanisms sent logon credentials from the client to the authentication server in clear text. Unfortunately, this solution is vulnerable to eavesdropping and interception, thus making the security of the system suspect. What was needed was a solution that didn’t transmit the logon credentials in a form that could be easily captured, extracted, and reused.

One such method for providing protection for logon credentials is Kerberos, a trusted third-party authentication protocol that was originally developed at MIT under Project Athena. The current version of Kerberos in widespread use is version 5. Kerberos is used to authenticate network principles (subjects) to other entities on the network (objects, resources, and servers). Kerberos is platform independent; however, some OSs require special configuration adjustments to support true interoperability (for example, Windows Server with Unix).

Kerberos is a centralized authentication solution. The core element of a Kerberos solution is the key distribution center (KDC), which is responsible for verifying the identity of principles and granting and controlling access within a network environment through the use of secure cryptographic keys and tickets.

Kerberos is a trusted third-party authentication solution because the KDC acts as a third party in the communications between a client and a server. Thus, if the client trusts the KDC and the server trusts the KDC, then the client and server can trust each other.

Kerberos is also a single sign-on solution. Single sign-on means that once a user (or other subject) is authenticated into the realm, they need not reauthenticate to access resources on any realm entity. (A realm is the network protected under a single Kerberos implementation.)

The basic process of Kerberos authentication is as follows:

1. The subject provides logon credentials.
2. The Kerberos client system encrypts the password and transmits the protected credentials to the KDC.
3. The KDC verifies the credentials and then creates a ticket-granting ticket (TGT)—a hashed form of the subject’s password with the addition of a time stamp that indicates a valid lifetime. The TGT is encrypted and sent to the client.
4. The client receives the TGT. At this point, the subject is an authenticated principle in the Kerberos realm.
5. The subject requests access to resources on a network server. This causes the client to request a service ticket (ST) from the KDC.
6. The KDC verifies that the client has a valid TGT and then issues an ST to the client. The ST includes a time stamp that indicates its valid lifetime.
7. The client receives the ST.
8. The client sends the ST to the network server that hosts the desired resource.
9. The network server verifies the ST. If it’s verified, it initiates a communication session with the client. From this point forward, Kerberos is no longer involved.

Figure 4.2 shows the Kerberos authentication process.

The Kerberos authentication method helps ensure that logon credentials aren’t compromised while in transit from the client to the server. The inclusion of a time stamp in the tickets ensures that expired tickets can’t be reused. This prevents replay and spoofing attacks against Kerberos.

Kerberos supports mutual authentication (client and server identities are proven to each other). It’s scalable and thus able to manage authentication for large networks. Being centralized, Kerberos helps reduce the overall time involved in accessing resources within a network.

TACACS+

Terminal Access Controller Access Control System (TACACS) is another example of an AAA server. TACACS is an Internet standard (RFC 1492). Similar to RADIUS, it uses ports TCP 49 and UDP 49. XTACACS was the first proprietary Cisco revision of the standard RFC form. TACACS+ was the second major revision by Cisco of this service into yet another proprietary version. None of these three versions of TACACS are compatible with each other. TACACS and XTACACS are utilized on many older systems but have been all but replaced by TACACS+ on current systems.

TACACS+ differs from RADIUS in many ways. One major difference is that RADIUS combines authentication and authorization (the first two As in AAA), whereas TACACS+ separates the two, allowing for more flexibility in protocol selection. For instance, with TACACS+, an administrator may use Kerberos as an authentication mechanism while choosing something entirely different for authorization. With RADIUS these options are more limited.

Scenarios where TACACS+ would be used include any remote access situation where Cisco equipment is present. Cisco hardware is required in order to operate a TACACS+ AAA service for authenticating local or remote systems and users.

CHAP

Challenge Handshake Authentication Protocol (CHAP) is an authentication protocol used over a wide range of Point-to-Point Protocol (PPP) connections (including dial-up, ISDN, DSL, and cable) as a means to provide a secure transport mechanism for logon credentials. It was developed as a secure alternative and replacement for PAP, which transmitted authentication credentials in clear text.

CHAP uses an initial authentication-protection process to support logon and a periodic midstream reverification process to ensure that the subject/client is still who they claim to be. The process is as follows:

1. The user is prompted for their name and password. Only the username is transmitted to the server.
2. The authentication process performs a one-way hash function on the subject’s password.
3. The authentication server compares the username to its accounts database to verify that it is a valid existing account.
4. If there is a match, the server transmits a random challenge number to the client.
5. The client uses the password hash and the challenge number as inputs to the CHAP algorithm to produce a response, which is then transmitted back to the server.
6. The server retrieves the password hash from the user account stored in the account database and then, using it along with the challenge number, computes the expected response.
7. The server compares the response it calculated to that received from the client.

If everything matches, the subject is authenticated and allowed to communicate over the connection link. Figure 4.3 shows the CHAP authentication process.

Once the client is authenticated, CHAP periodically sends a challenge to the client at random intervals. The client must compute the correct response to the issued challenge; otherwise, the connection is automatically severed. This post-authentication verification process ensures that the authenticated session hasn’t been hijacked.

Whenever a CHAP or CHAP-like authentication system is supported, use it. The only other authentication option that is more secure than CHAP is mutual certificate–based authentication.

PAP

Password Authentication Protocol (PAP) is an insecure plain-text password-logon mechanism. PAP was an early plain old telephone service (POTS) authentication mechanism. PAP is mostly unused today, because it was superseded by CHAP and numerous EAP add-ons. Don’t use PAP—it transmits all credentials in plain text.

MSCHAP

MSCHAP is Microsoft’s customized or proprietary version of CHAP. The original MSCHAPv1 was integrated into the earliest versions of Windows but was dropped with the release of Windows Vista. MSCHAPv2 was originally added to Windows NT 4.0 through Service Pack 4, as well as Windows 95 and Windows 98 with network update packages. MSCHAPv1 and MSCHAPv2 were both available on Windows NT 4.0 through Windows XP and Windows Server 2003. MSCHAP is often associated with the Point-to-Point Tunneling Protocol (PPTP), a VPN protocol, and Protected Extensible Authentication Protocol (PEAP). One of the key differences between MSCHAP and CHAP is support for mutual authentication rather than client-only authentication. MSCHAPv2 uses DES encryption to encrypt the transmitted NTML password hash, which is weak and easily cracked. Thus, MSCHAP should generally be avoided and not used in any scenario where other, stronger authentication options are available.

RADIUS

Remote Authentication Dial-In User Service (RADIUS) is a centralized authentication system. It’s often deployed to provide an additional layer of security for a network. By offloading authentication of remote access clients from domain controllers or even the remote access server itself to a dedicated authentication server such as RADIUS, you can provide greater protection against intrusion for the network as a whole. RADIUS can be used with any type of remote access, including dial-up, virtual private network (VPN), and terminal services.

RADIUS is known as an AAA server. AAA stands for authentication, authorization (or access control), and accounting (sometimes referred to as auditing). RADIUS provides for distinct AAA functions for remote-access clients separate from those of normal local domain clients. RADIUS isn’t the only AAA server, but it’s the most widely deployed.

When RADIUS is deployed, it’s important to understand the terms RADIUS client and RADIUS server, both of which are depicted in Figure 4.4. The RADIUS server is obviously the system hosting the RADIUS service. However, the RADIUS client is the remote-access server (RAS), not the remote system connecting to RAS. As far as the remote-access client is concerned, it sees only the RAS, not the RADIUS server. Thus, the RAS is the RADIUS client. RADIUS is a tried-and-true AAA solution, but alternatives include the Cisco proprietary TACACS+ as well as the direct RADIUS competitor Diameter.

RADIUS can be used in any remote-access authentication scenario. RADIUS is platform independent and thus does not require any specific vendor’s hardware. Most RADIUS products from any vendor are interoperable with all others. RADIUS is a widely supported AAA service and can be used as the authentication system for most implementations of IEEE 802.1x (see the section “IEEE 802.1x,” later in this chapter), including the ENT authentication option on wireless access points.

SAML

Security Assertion Markup Language (SAML) is an open-standard data format based on XML for the purpose of supporting the exchange of authentication and authorization details between systems, services, and devices. SAML was designed to address the difficulties related to the implementation of single sign-on (SSO) over the web. SAML’s solution is based on a trusted third-party mechanism in which the subject or user (the principle) is verified through a trusted authentication service (the identity provider) in order for the target server or resource host (the service provider) to accept the identity of the visitor. SAML doesn’t dictate the authentication credentials that must be used, so it’s flexible and potentially compatible with future authentication technologies.

SAML is used to create and support federation of authentication. The success of SAML can be seen online wherever you are offered the ability to use an alternate site’s authentication to access an account. For example, if you visit feedly.com and click the “Get started for free” button, a dialog box appears (Figure 4.5) where you can select to link a new Feedly account to an existing account at Google, Facebook, Twitter, Windows, Evernote, or your own company’s enterprise authentication if you don’t want to use a unique email and password for Feedly.

SAML should be used in any scenario where linking of systems, services, or sites is desired but the authentication solutions are not already compatible. SAML allows for the creation of interfaces between authentication solutions in order to allow federation.

OpenID Connect

OpenID Connect is an Internet-based single sign-on solution. It operates over the OAuth protocol (see next section) and can be used in relation to Web services as well as smart device apps. The purpose or goal of OpenID Connect is to simplify the process by which applications are able to identify and verify users. For more detailed information and programming guidance, please see https://openid.net/connect/.

OpenID Connect should be considered for use as an authentication solution for any online application or web service. It is a simple solution that may be robust enough for your soon-to-be virally popular digital app.

OAuth

OAuth is an open standard for authentication and access delegation (federation). OAuth is widely used by websites, web services, and mobile device applications. OAuth is an easy means of supporting federation of authentication between primary and secondary systems. A primary system could be Google, Facebook, or Twitter, and secondary systems are anyone else. OAuth is often implemented using SAML. OAuth can be recognized as being in use when you are offered the ability to use an existing authentication from a primary service as the authentication at a secondary one (see Figure 4.5 earlier).

OAuth can be used in any scenario where a new, smaller secondary entity wants to employ the access tokens from primary entities as a means of authentication. In other words, OAuth is used to implement authentication federation.

Shibboleth

Shibboleth is another example of an authentication federation and single sign-on solution. Shibboleth is a standards-based open-source solution that can be used for website authentication across the Internet or within private networks. Shibboleth was developed for use by Internet2 and is now available for use in any networking environment, public or private. Shibboleth is based on SAML.

For more information on Shibboleth, please visit https://shibboleth.net/.

Secure token

A secure token is a protected, possibly encrypted authentication data set that proves a particular user or system has been verified through a formal logon procedure. Access tokens include web cookies, Kerberos tickets, and digital certificates. A secure token is an access token that does not leak any information about the subject’s credentials or allow for easy impersonation.

A secure token can also refer to a physical authentication device known as a TOTP or HOTP device (see the “HOTP/TOTP” section later in this chapter).

Secure tokens should be considered for use in any private or public authentication scenario. Minimizing the risk of information leakage or impersonation should be a goal of anyone designing, establishing, or managing authentication solutions.

NTLM

New Technology LAN Manager (NTLM) is a password hash storage system used on Microsoft Windows. NTLM exists in two versions. NTLMv1 is a challenge-response protocol system that, using a server-issued random challenge along with the user’s password (in both LM hash and MD4 hash), produces two responses that are sent back to the server (this is assuming a password with 14 or fewer characters; otherwise only an MD4 hash-based response is generated). NTLMv2 is also a challenge-response protocol system, but it uses a much more complex process that is based on MD5. Both versions of NTLM use a challenge response–based hashing mechanism whose result is nonreversible and thus much more secure than LM hashing. However, reverse-engineering password- cracking mechanisms can ultimately reveal NTLMv1 or v2 stored passwords if the passwords are relatively short (under 15 characters) and the hacker is given enough processing power and time.

LANMAN, or what is typically referred to as LM or LAN Manager, is a legacy storage mechanism developed by Microsoft to store passwords. LM was replaced by NTLM on Windows NT 4.0 and should be disabled (usually left disabled) and avoided on all current versions of Windows.

One of the most significant issues with LM is that it limited passwords to a maximum of 14 characters. Shorter passwords were padded out to 14 characters using null characters. The 14 characters of the password were converted to uppercase and then divided into two seven-character sections. Each seven-character section was then used as a DES encryption key to encrypt the static ASCII string “KGS!@#$%”. The two results were recombined to form the LM hash. Obviously, this system is fraught with problems. Specifically, the process is reversible and not truly a one-way hash, and all passwords are ultimately no stronger than seven characters.

As a user, you can completely avoid LM by using passwords of at least 15 characters. LM has been disabled by default on all versions of Windows since Windows 2000. However, this disabling only addresses the initial request for and the default transmission of LM for the authentication process. The Security Accounts Manager (SAM) still contains an LM equivalent of all passwords with 14 or fewer characters through Windows Vista, at least by default. Windows 7 and later versions of Windows do not even create the LM version of user passwords to store in the user account database by default. Settings are available in the Registry and Group Policy Objects to turn on this backward-compatibility feature.

You should leave LM disabled and disable it when it isn’t. If you need LM to support a legacy system, you should find a way to upgrade the legacy system rather than continue to use LM. The use of LM is practically equivalent to using only plain text.

NTLM is used in nearly every scenario of Windows-to-Windows authentication. Although it is not the most robust or secure form of authentication, it is secure enough in most circumstances. When NTLM is deemed insufficient or incompatible (such as when connecting to non-Windows systems), then digital certificate-based authentication should be used.

Exam Essentials

Understand Kerberos. Kerberos is a trusted third-party authentication protocol. It uses encryption keys as tickets with time stamps to prove identity and grant access to resources. Kerberos is a single sign-on solution employing a key distribution center (KDC) to manage its centralized authentication mechanism.

Know about TACACS+. TACACS is a centralized remote access authentication solution. It’s an Internet standard (RFC 1492); however, Cisco’s proprietary implementations of XTACACS and now TACACS+ have quickly gained popularity as RADIUS alternatives.

Understand CHAP. The Challenge Handshake Authentication Protocol (CHAP) is an authentication protocol used primarily over dial-up connections (usually PPP) as a means to provide a secure transport mechanism for logon credentials. CHAP uses a one-way hash to protect passwords and periodically reauthenticate clients. A good example of CHAP usage is a point-to-point link between two corporate routers.

Define PAP. Password Authentication Protocol (PAP) is an insecure plain-text password-logon mechanism. PAP was an early plain old telephone service (POTS) authentication mechanism.

Understand MSCHAP. MSCHAP is Microsoft’s customized or proprietary version of CHAP. One of the key differences between MSCHAP and CHAP is that MSCHAP supports mutual authentication, rather than client-only authentication. MSCHAPv2 uses DES encryption to encrypt the transmitted NTML password hash, which is weak and easily cracked.

Comprehend RADIUS. RADIUS is a centralized authentication system. It’s often deployed to provide an additional layer of security for a network.

Understand SAML. Security Assertion Markup Language is an open-standard data format based on XML for the purpose of supporting the exchange of authentication and authorization details between systems, services, and devices.

Know about OpenID Connect. OpenID Connect is an Internet-based single sign-on solution. It operates over the OAuth protocol and can be used in relation to web services as well as smart device apps.

Understand OAuth. OAuth is an open standard for authentication and access delegation (federation). OAuth is widely used by websites/services and mobile device applications.

Define Shibboleth. Shibboleth is another example of an authentication federation and single sign-on solution. Shibboleth is a standards-based, open source-solution that can be used for website authentication across the Internet or within private networks.

Understand secure tokens. A secure token is a protected, possibly encrypted authentication data set that proves a particular user or system has been verified through a formal logon procedure. Access tokens include web cookies, Kerberos tickets, and digital certificates. A secure token is an access token that does not leak any information about the subject’s credentials or allow for easy impersonation.

Know about NTLM. New Technology LAN Manager (NTLM) is a password hash storage system used on Microsoft Windows. It’s a challenge-response protocol system that is nonreversible and thus much more secure than LM hashing. One place where NTLM is frequently used is in Microsoft Active Directory for user logon authentication in lieu of a RADIUS or TACACS solution.

Access control models

The mechanism by which users are granted or denied the ability to interact with and use resources is known as access control. Access control is often referred to using the term authorization. Authorization defines the type of access to resources that users are granted—in other words, what users are authorized to do. Authorization is often considered the next logical step immediately after authentication. Authentication is proving your identity to a system or the act of logging on. With proper authorization or access control, a system can properly control access to resources in order to prevent unauthorized access.

There are three common access control methods:

• Mandatory access control (MAC)
• Discretionary access control (DAC)
• Role-based access control (RBAC)

These three models are widely used in today’s IT environments. Familiarity with these models is essential for the Security+ exam.

In most environments, DAC is a sufficient authorization mechanism to use to control and manage a subject’s access to and use of resources. Most operating systems are DAC by default. In government or military environments, where classifications are deemed an essential control mechanism, MAC should be used to directly enforce and restrict access based on a subject’s clearance. RBAC is a potential alternative in many environments, but it is most appropriate in those situations where there is a high rate of employee turnover.

Physical access control

Often overlooked when considering IT security is the need to manage physical access. Physical access controls are needed to restrict physical access violations, whereas logical access controls are needed to restrict logical access violations.

Physical access controls should be implemented in any scenario in which there is a difference in value, risk, or use between one area of a facility and another. Any place where it would make sense to have a locked door, technology-managed physical access controls should be implemented.

Biometric factors

Biometrics is the term used to describe the collection of physical attributes of the human body that can be used as an identification or authentication factor. Biometrics fall into the authentication factor category of something you are: you, as a human, have the element of identification as part of your physical body.

Numerous biometric factors can be considered for identification and authentication purposes. Several of these options are discussed in the following sections.

However, when an organization decides to implement a biometric factor, it is important to evaluate the available options in order to select a biometric solution that is most in line with the organization’s security priorities. One method to accomplish this is to consult a Zephyr analysis chart (Figure 4.6). This type of chart presents the relative strengths and weaknesses of various characteristics of biometric factor options. The specific example shown in Figure 4.6 evaluates eight biometric types on four characteristics (intrusiveness, accuracy, cost, and effort). The security administrator should select a form of biometric based on their organization’s priorities for the evaluated characteristics.

Once the type of biometric is selected, then a specific make and model needs to be purchased. Finding the most accurate device to implement is accomplished using a crossover error rate analysis (see the section “Crossover error rate” later in this chapter).

Biometric factor devices or biometric scanners should be used as an element in multifactor authentication. Any scenario in which there is sensitive data carries a corresponding need for greater security. One element of stronger security is more robust authentication. Any form of multifactor authentication is stronger than a single-factor authentication solution.

Crossover error rate

The two error measurements of biometric devices (FRR and FAR) can be mapped on a graph comparing sensitivity level to rate of errors. The point on this graph where these two rates intersect is known as the crossover error rate (CER); see Figure 4.7. Notice how the number of FRR errors increases with sensitivity, whereas FAR errors decrease with an increase in sensitivity. The CER point (as measured against the error scale) is used to determine which biometric device for a specific body part from various vendors or of various models is the most accurate. The comparatively lowest CER point is the more accurate biometric device for the relevant body part.

Tokens

A token is a form of authentication factor that is something you have. It’s usually a hardware device, but it can be implemented in software as a logical token. A token is used to generate temporary single-use passwords for the purpose of creating stronger authentication. In this way, a user account isn’t tied to a single static password. Instead, the user must be in physical possession of the password-generating device. Users enter the currently valid password from the token as their password during the logon process.

There are several forms of tokens. Some tokens generate passwords based on time (see Figure 4.8 later in the chapter), whereas others generate passwords based on challenges from the authentication server. In either case, users can use (or attempt to use) the generated password just once before they must either wait for the next time window or request another challenge. Passwords that can be used only once are known as one-time passwords (OTP). This is the most secure form of password, because regardless of whether its use results in a successful logon, that one-use password is never valid again. One-time passwords can be employed only when a token is used, due to the complexity and ever-changing nature of the passwords. However, a token need not be a device; there are paper-based options as well as smartphone app–based solutions.

A token may be a device (Figure 4.8), like a small calculator with or without a keypad. It may also be a high-end smartcard. When properly deployed, a token-based authentication system is more secure than a password-only system.

A token should be used in any scenario in which multifactor authentication is needed or warranted. Almost every authentication event would be improved by implementing a multifactor solution as opposed to remaining with single-factor authentication.

Certificate-based authentication

Certificates or digital certificates are a trusted third-party authentication technology derived from asymmetric public key cryptography. Please see Chapter 6 for detailed coverage of digital certificates.

Certificate-based authentication is often a reliable mechanism for verifying the identity of devices, systems, services, applications, networks, and organizations. However, certificates alone are insufficient to identify or authenticate individuals, since the certificate is a digital file and can be lost, stolen, or otherwise abused for impersonation attacks. However, when implemented as a multifactor authentication process, certificates can be a significant improvement in logon security for a wide range of scenarios.

File system security

Filesystem security is usually focused on authorization instead of authentication. To protect a filesystem, either access to the computer through which the storage device is accessed needs to be locked down in order to deny access to anyone not specifically authorized (such as using multifactor authentication), or the storage device should be encrypted to block access to all but the intentionally authorized. See the section “Access control models” earlier in this chapter for details on authorization control via DAC, MAC, RBAC, and others.

Filesystem security should be used in all scenarios to define what access users have. Such access should be granted based on their work responsibilities in order to enable users to complete work tasks without placing the organization at any significant level of additional and unwarranted risk. This concept is known as the principle of least privilege, and it should be adopted and enforced across all means of resource access management.

Database security

Database security is an important part of any organization that uses large sets of data as an essential asset. Without database security efforts, business tasks can be interrupted and confidential information disclosed. The wide array of topics that are part of database security includes aggregation, inference, aggregation, data mining, data warehousing, and data analytics.

Structured Query Language (SQL), the language used to interact with most databases, provides a number of functions that combine records from one or more tables to produce potentially useful information. This process, known as aggregation, is not without its security vulnerabilities. Aggregation attacks are used to collect numerous low-level security items or low-value items and combine them to create something of a higher security level or value.

For example, suppose a low-level military records clerk is responsible for updating records of personnel and equipment as they are transferred from base to base. As part of his duties, this clerk may be granted the database permissions necessary to query and update personnel tables.

The military might not consider an individual transfer request (in other words, Sergeant Jones is being moved from Base X to Base Y) to be classified information. The records clerk has access to that information because he needs it to process Sergeant Jones’s transfer. However, with access to aggregate functions, the records clerk might be able to count the number of troops assigned to each military base around the world. These force levels are often closely guarded military secrets, but the low-ranking records clerk could deduce them by using aggregate functions across a large number of unclassified records.

For this reason, it’s especially important for database security administrators to strictly control access to aggregate functions and adequately assess the potential information they may reveal to unauthorized individuals.

The database security issues posed by inference attacks are very similar to those posed by the threat of data aggregation. Inference attacks involve combining several pieces of nonsensitive information to gain access to information that should be classified at a higher level. However, inference makes use of the human mind’s deductive capacity rather than the raw mathematical ability of modern database platforms.

A commonly cited example of an inference attack is that of the accounting clerk at a large corporation who is allowed to retrieve the total amount the company spends on salaries for use in a top-level report but is not allowed to access the salaries of individual employees. The accounting clerk often has to prepare those reports with effective dates in the past and so is allowed to access the total salary amounts for any day in the past year. Say, for example, that this clerk must also know the hiring and termination dates of various employees and has access to this information. This opens the door for an inference attack. If an employee was the only person hired on a specific date, the accounting clerk can now retrieve the total salary amount on that date and the day before and deduce the salary of that particular employee—sensitive information that the user would not be permitted to access directly.

As with aggregation, the best defense against inference attacks is to maintain constant vigilance over the permissions granted to individual users. Furthermore, intentional blurring of data may be used to prevent the inference of sensitive information. For example, if the accounting clerk were able to retrieve only salary information rounded to the nearest million, he would probably not be able to gain any useful information about individual employees. Finally, you can use database partitioning, dividing up a single database into multiple distinct databases according to content value, risk, and importance, to help subvert these attacks.

Many organizations use large databases, known as data warehouses (a predecessor to the idea of big data), to store large amounts of information from a variety of databases for use with specialized analysis techniques. These data warehouses often contain detailed historical information not normally stored in production databases because of storage limitations or data security concerns.

A data dictionary is commonly used for storing critical information about data, including usage, type, sources, relationships, and formats. Database management software (DBMS) reads the data dictionary to determine access rights for users attempting to access data.

Data mining techniques allow analysts to comb through data warehouses and look for potential correlated information. For example, an analyst might discover that the demand for lightbulbs always increases in the winter months and then use this information when planning pricing and promotion strategies. Data mining techniques result in the development of data models that can be used to predict future activity.

The activity of data mining produces metadata—information about data. Metadata is not exclusively the result of data mining operations; other functions or services can produce metadata as well. Think of metadata from a data mining operation as a concentration of data. It can also be a superset, a subset, or a representation of a larger data set. Metadata can be the important, significant, relevant, abnormal, or aberrant elements from a data set.

One common security example of metadata is that of a security incident report. An incident report is the metadata extracted from a data warehouse of audit logs through the use of a security auditing data mining tool. In most cases, metadata is of a greater value or sensitivity (due to disclosure) than the bulk of data in the warehouse. Thus, metadata is stored in a more secure container known as the data mart.

Data warehouses and data mining are significant to security professionals for two reasons. First, as previously mentioned, data warehouses contain large amounts of potentially sensitive information vulnerable to aggregation and inference attacks, and security practitioners must ensure that adequate access controls and other security measures are in place to safeguard this data. Second, data mining can actually be used as a security tool when it’s used to develop baselines for statistical anomaly–based intrusion detection systems.

Data analytics is the science of raw data examination with the focus of extracting useful information out of the bulk information set. The results of data analytics could focus on important outliers or exceptions to normal or standard items, a summary of all data items, or some focused extraction and organization of interesting information. Data analytics is a growing field as more organizations are gathering an astounding volume of data from their customers and products. The sheer volume of information to be processed has demanded a whole new category of database structures and analysis tools. It has even picked up the nickname of “big data.”

Big data refers to collections of data that have become so large that traditional means of analysis or processing are ineffective, inefficient, and insufficient. Big data involves numerous difficult challenges, including collection, storage, analysis, mining, transfer, distribution, and results presentation. Such large volumes of data have the potential to reveal nuances and idiosyncrasies that more mundane sets of data fail to address. The potential to learn from big data is tremendous, but the burdens of dealing with big data are equally great. As the volume of data increases, the complexity of data analysis increases as well. Big data analysis requires high-performance analytics running on massively parallel or distributed processing systems. With regard to security, organizations are endeavoring to collect an ever more detailed and exhaustive range of event data and access data. This data is collected with the goal of assessing compliance, improving efficiencies, improving productivity, and detecting violations.

A relational database is a means to organize and structure data in a flat two-dimensional table. The row and column–based organizational scheme is widely used, but it isn’t always the best solution. Relational databases can become difficult to manage and use when they grow extremely large, especially if they’re poorly designed and managed. Their performance can be slowed when significant numbers of simultaneous users perform queries. And they might not support data mapping needed by modern complex programming techniques and data structures. In the past, most applications of RDBMSs did not experience any of these potential downsides. However, in today’s era of big data and services the size of Google, Amazon, Twitter, and Facebook, RDBMSs aren’t sufficient solutions to some data-management needs.

NoSQL is a database approach that employs nonrelational data structures, such as hierarchies or multilevel nesting and referencing. A hierarchical data structure is one in which every data object can have a single data-parent relation and none, one, or many data-child relations. A data parent is an item upward or closer to the root of the hierarchy, whereas a data child is an item downward or further away from the root. DNS and XML data are excellent examples of hierarchical data structures.

A multilevel nesting and cross-referencing data structure is a system in which a data object can have multiple data-parent and data-child links and may even have links across multiple levels or among “peer” data items. Effectively, any data item can be linked to any other data item, with no structural limitations. The organization of Facebook, Twitter, and Google+ relationships is of this nature. This DBMS structure is also known as a distributed database model.

NoSQL databases or SQL databases? That is a common argument waged between DBMS managers and database programmers alike. However, using the term SQL here isn’t entirely accurate, because SQL is a means to interact with a database rather than a form or type of database. More specifically, the comparison is between relational database management systems (RDBMSs) and nonrelational databases. Databases that are labeled as NoSQL may actually support SQL commands, and thus instead should be labeled as NotRDBMS or NotRelational. The nickname NoSQL is more of a slight against Microsoft SQL Server than an indication that a DBMS used for big data does not support SQL queries.

In recent years, services, applications, and websites that have employed SQL databases (again, for clarity, a DBMS that supports SQL expressions) have been found vulnerable to a range of attacks, most notably SQL injection. However, this attack has less to do with the DBMS and SQL expressions than it does with the tendency for sites to be configured with minimal security and to use nondefensive scripts. Scripts that receive input from users but aren’t written to specifically defend against SQL injection are by default vulnerable. This vulnerability, tied in with loose security controls on the DBMS, has enabled the proliferation of SQL injection attacks across the Internet.

Although this is a serious issue, it isn’t the reason to switch to a NoSQL solution. There are many RDBMS options that can allow SQL to be disabled or don’t support SQL as an expression language. NoSQL DBMS options can often support SQL as an expression language. Thus, switching to NoSQL doesn’t resolve the SQL injection attack vulnerability on its own. The reason to switch to NoSQL solutions is to obtain a data structure and have access to data-management features that are better suited for a particular data set or programming need.

NoSQL is also known for not supporting ACID, which is a standard benefit or feature of most RDBMSs. ACID stands for the following:

• Atomicity—Each transaction occurs in an all-or-nothing state.
• Consistency—Each transaction maintains valid data and a valid state of the database.
• Isolation—Each transaction occurs individually without interference.
• Durability—Each applied transaction is resilient.

A discussion of NoSQL often brings up the topic of JSON. JavaScript Object Notation (JSON) is a common organizational and referencing format used by some NoSQL database options. The use of JSON as the basis for a NoSQL solution is a popular option for Internet services. However, it’s only one of the many NoSQL options available.

Exam Essentials

Understand authorization. Authorization is the mechanism that controls what a subject can and can’t do, access, use, or view. Authorization is commonly called access control or access restriction.

Know about access control. Access control or privilege management can be addressed using one of three primary schemes: user, group, or role. These schemes correspond directly to the access-control methodologies DAC, MAC, and RBAC.

Understand MAC. Mandatory access control (MAC) is based on classification rules. Objects are assigned sensitivity labels. Subjects are assigned clearance labels. Users obtain access by having the proper clearance for the specific resource. Classifications are hierarchical.

Know common MAC hierarchies. Government or military MAC uses the following levels: unclassified, sensitive but unclassified, confidential, secret, and top secret. Private sector or corporate business environment MAC uses these: public, sensitive, private, and confidential.

Understand DAC. Discretionary access control (DAC) is based on user identity. Users are granted access through ACLs on objects, at the discretion of the object’s owner or creator.

Comprehend ACLs. An ACL is a security logical device attached to every object and resource in the environment. It defines which users are granted or denied the various types of access available based on the object type.

Understand ABAC. Attribute-based access control (ABAC) is a mechanism of assigning access and privileges to resources through a scheme of attributes or characteristics.

Know about role-based access control (RBAC). Role-based access control (RBAC) is based on job description. Users are granted access based on their assigned work tasks. RBAC is most suitable for environments with a high rate of employee turnover.

Know about rule-based access control (RBAC). Rule-based access control (RBAC) is typically used in relation to network devices that filter traffic based on filtering rules, such as those found on firewalls and routers. Rule-based systems enforce rules independent of the user or the resource, since the rules are the rules.

Understand proximity systems. A proximity device or proximity card can be a passive device, a field-powered device, or a transponder.

Comprehend biometric device selection. It is important to evaluate the available options in order to select a biometric solution that is most in line with the organization’s security priorities; this can be accomplished by consulting a Zephyr analysis chart.

Understand FRR and FAR. False rejection rate (FRR, or Type I) errors are the number of failed authentications for valid subjects based on device sensitivity. False acceptance rate (FAR, or Type II) errors are the number of accepted invalid subjects based on device sensitivity.

Define CER. The crossover error rate (CER) is the point where the FRR and FAR lines cross on a graph. The comparatively lowest CER point is the more accurate biometric device for the relevant body part.

Understand tokens. A token is a form of authentication factor that is something you have. It’s usually a hardware device, but it can be implemented in software as a logical token.

Comprehend TOTP. Time-based one-time password (TOTP) tokens or synchronous dynamic password tokens are devices or applications that generate passwords at fixed time intervals.

Comprehend HOTP. HMAC-based one-time password (HOTP) tokens or asynchronous dynamic password tokens are devices or applications that generate passwords based not on fixed time intervals but on a nonrepeating one-way function, such as a hash or HMAC operation.

Understand personal identification verification cards. Personal identification verification cards, such as badges, identification cards, and security IDs, are forms of physical identification and/or electronic access-control devices.

Know about smartcards. Smartcards are credit card–sized IDs, badges, or security passes with embedded integrated circuit chips. They can contain information about the authorized bearer that can be used for identification and/or authentication purposes.

Understand 802.1x. 802.1x is a port-based authentication mechanism. It’s based on EAP and is commonly used in closed-environment wireless networks. However, 802.1x isn’t exclusively used on WAPs; it can also be used on firewalls, proxies, VPN gateways, and other locations where an authentication handoff service is desired. Think of 802.1x as an authentication proxy.

Account types

User account types are the starting point for the type, level, and restriction settings related to a subject’s access to resources. Organizations should consider which types of accounts to use in their network and which types should be prohibited for use.

General Concepts

This section includes descriptions of numerous account management concepts that are essential to the secure management of an IT environment.

Account policy enforcement

The combination of a username and a password is the most common form of authentication (see Figure 4.9). If the provided password matches the password stored in a system’s accounts database for the specified user, then that user is authenticated to the system. However, just because using a username and password is the most common form of authentication, that doesn’t mean it’s the most secure. On the contrary, it’s generally considered to be the least secure form of authentication.

Numerous means to improve the basic username/password combination have been developed. First is the storage of passwords in an accounts database in an encrypted form. Typically that form is the hash value from a one-way hash function. Second is the use of an authentication protocol (or mechanism) that prevents the transmission of passwords in an easily readable form over a network or especially the Internet. Third, strong (complex) passwords are often enforced at a programmatic level. This is done to ensure that only passwords that are difficult for a password-cracking tool to discover are allowed by the system.

Whatever means of authentication is adopted by an organization, it is important to consider best secure business practices and to establish a standard operating procedure to follow. Once an account management policy is established, it should be enforced. Only with consistent application of security can consistent and reliable results be expected.

Strong passwords have the following characteristics:

• Consist of numerous characters (in 2017, 12 or more with at least 16 preferred)
• Include at least three types of characters (uppercase and lowercase letters, numerals, and keyboard symbols)
• Are changed on a regular basis (every 90 days)
• Don’t include any dictionary or common words or acronyms
• Don’t include any part of the subject’s real name, username, or email address.

These features can be implemented as a requirement through account policy enforcement. This is the collection of password requirement features in the OS, often called a password policy.

Passwords should be strong enough to resist discovery through attack but easy enough for the person to remember. This can sometimes be a difficult line to walk. Training users on picking strong passphrases and memorizing them is an important element of modifying risky behavior.

Continuous monitoring stems from the need to have user accountability through the use of user access reviews. It’s becoming a standard element in government regulations and security contracts that the monitoring of an environment be continuous in order to provide a more comprehensive overview of the security stance and user compliance with security policies. Effectively, continuous monitoring requires that all users be monitored equally, that users be monitored from the moment they enter the physical or logical premises of an organization until they depart or disconnect, and that all activities of all types on any and all services and resources be tracked. This comprehensive approach to auditing, logging, and monitoring increases the likelihood of capturing evidence related to abuse or violations.

Exam Essentials

Know about shared accounts. Under no circumstances should a standard work environment implement shared accounts. It isn’t possible to distinguish between the actions of one person and another if they both use a shared account.

Understand the principle of least privilege. The principle of least privilege is a security rule of thumb that states that users should be granted only the level of access needed for them to accomplish their assigned work tasks, and no more.

Define onboarding/offboarding. Onboarding is the process of adding new employees to the organization’s identity and access management (IAM) system. It can also mean organizational socialization, which is the process by which new employees are trained in order to be properly prepared for performing their job responsibilities. Offboarding is the removal of an employee’s identity from the IAM system once they have left the organization.

Understand privileges. Group-based privileges assign a privilege or access to a resource to all members of a group as a collective. User-assigned privileges are permissions that are granted or denied on a specific individual user basis.

Know about time-of-day restrictions. Time-of-day restrictions is an access control concept that limits a user account to be able to log into a system or network only during specific hours.

Understand account maintenance. Account maintenance is the regular or periodic activity of reviewing and assessing the user accounts of an IT environment.

Comprehend group-based access control. Group-based access control grants every member of the group the same level of access to a specific object.

Understand location-based policies. Location-based policies for controlling authorization grant or deny resource access based on where the subject is located.

Know about credential management. Credential management is a service or software product designed to store, manage, and even track user credentials.

Understand Group Policy. Group Policy is the mechanism by which Windows systems can be managed in a Windows network domain environment. A Group Policy Object (GPO) is a collection of Registry settings that can be applied to a system at the time of bootup or at the moment of user login.

Comprehend password management. Password management is the system used to manage passwords across a large network environment. It typically includes a requirement for users to create complex passwords. It also addresses the issues of complexity, expiration, recovery, account disablement, lockout, history, reuse, and length.