Chapter 5. Identity and Access Management

This chapter covers the following topics:

Access Control Process: Concepts discussed include the steps of the access control process.

Physical and Logical Access to Assets: Concepts discussed include access control administration, information access, systems access, device access, and facility access.

Identification and Authentication Concepts: Concepts discussed include knowledge factors, ownership factors, characteristics factors, and time factors.

Identification and Authentication Implementation: Concepts discussed include separation of duties, least privilege/need-to-know, default to no access, directory services, single sign-on, session management, registration and proof of identity, credential management systems, and accountability.

Identity as a Service (IDaaS) Implementation: Describes the considerations when implementing IDaaS.

Third-Party Identity Services Implementation: Details how to integrate third-party identity services in an enterprise.

Authorization Mechanisms: Covers access control models and access control policies.

Access Control Threats: Concepts discussed include password threats, social engineering threats, DoS/DDoS, buffer overflow, mobile code, malicious software, spoofing, sniffing and eavesdropping, emanating, and backdoor/trapdoor.

Prevent or Mitigate Access Control Threats: Describes ways to prevent or mitigate access control threats.

Identity and Access Management is mainly concerned with controlling access to assets and managing identities. These assets include computers, equipment, networks, and applications. Security professionals must understand how to control physical and logical access to the assets and manage identification, authentication, and authorization systems. Finally, the access control threats must be addressed.

Identity and access management involve how access management works, why identity and access management (IAM) are important, and how IAM components and devices work together in an enterprise. Access control allows only authorized users, applications, devices, and systems to access enterprise resources and information. It includes facilities, support systems, information systems, network devices, and personnel. Security professionals use access controls to specify which users can access a resource, which resources can be accessed, which operations can be performed, and which actions will be monitored. Once again, the CIA triad is important in providing enterprise IAM.

1. Identify resources.

2. Identify users.

3. Identify the relationships between the resources and users.

Will this information be accessed by members of the general public?

Should access to this information be restricted to employees only?

Should access to this information be restricted to a smaller subset of employees?

Keep in mind that data, applications, services, servers, and network devices are all considered resources. Resources are any organizational asset that users can access. In access control, resources are often referred to as objects.

As part of this step, you must analyze and understand the users’ needs and then measure the validity of those needs against organizational needs, policies, legal issues, data sensitivity, and risk.

Remember that any access control strategy and the system deployed to enforce it should avoid complexity. The more complex an access control system is, the harder that system is to manage. In addition, anticipating security issues that could occur in more complex systems is much harder. As security professionals, we must balance the organization’s security needs and policies with the needs of the users. If a security mechanism that we implement causes too much difficulty for the user, the user might engage in practices that subvert the mechanisms that we implement. For example, if you implement a password policy that requires a very long, complex password, users might find remembering their passwords to be difficult. Users might then write their passwords on sticky notes that are attached to their monitor or keyboard.

Physical access focuses on controlling access to a network, system, or device. In most cases, physical access involves using access control to prevent users from being able to touch network components (including wiring), systems, or devices. While locks are the most popular physical access control method to preventing access to devices in a data center, other physical controls, such as guards and biometrics, should also be considered, depending on the needs of the organization and the value of the asset being protected.

Logical controls limit the access a user has through software or hardware components. Authentication and encryption are examples of logical controls.

When installing an access control system, security professionals should understand who needs access to the asset being protected and how those users need to access the asset. When multiple users need access to an asset, the organization should set up a multi-layer access control system. For example, users wanting access to the building may only need to sign in with a security guard. However, to access the locked data center within the same building, users would need a smart card. Both of these would be physical access controls. To protect data on a single server within the building (but not in the data center), the organization would need to deploy such mechanisms as authentication, encryption, and access control lists (ACLs) as logical access controls but could also place the server in a locked server room to provide physical access control.

When deploying physical and logical access controls, security professionals must understand the access control administration methods and the different assets that must be protected and their possible access controls.

Some companies may implement a hybrid approach that includes both centralized and decentralized access control. In this deployment model, centralized administration is used for basic access, but granular access to individual assets, such as data on a departmental server, is handled by the data owner.

User provision policies should be integrated as part of human resource management. Human resource policies should include procedures whereby the human resource department formally requests the creation or deletion of a user account when new personnel are hired or terminated.

The value of the information being protected will likely determine the controls that an organization is willing to deploy. For example, regular correspondence on a client computer will likely not require the same controls as financial data stored on a server. For the client computer, the organization may simply deploy a local software firewall and appropriate ACL permissions on the local folders and files. For the server, the organization may need to deploy more complex measures, including drive encryption, transport encryption, ACLs, and other measures.

When it comes to servers, determining which access controls to deploy is usually a more complicated process. Security professionals should work with the server owner, whether it is a department head or an IT professional, to determine the value of the asset and the needed protection. Of course, most servers should be placed in a locked room. In many cases, this will be a data center or server room. However, servers can be deployed in regular locked offices if necessary. In addition, other controls should be deployed to ensure that the system is fully protected. The access control needs of a file server are different from those of a web server or database server. It is vital that the organization perform a thorough assessment of the data that is being processed and stored on the system before determining which access controls to deploy. If limited resources are available, security professionals must ensure that their most important systems have more access controls than other systems.

For any IT professionals that need to access the device, a user account should be configured for the professional with the appropriate level of access needed. If a remote interface is used, make sure to enable encryption, such as SSL, to ensure that communication via the remote interface is not intercepted and read. Security professionals should closely monitor vendor announcements for any devices to ensure that the devices are kept up to date with the latest security patches and firmware updates.

Authentication, the second part of the process, is the act of validating a user with a unique identifier by providing the appropriate credentials. When trying to differentiate between the two, security professionals should know that identification identifies the user and authentication verifies that the identity provided by the user is valid. Authentication is usually implemented through a user password provided at logon. When a user logs in to a system, the login process should validate the login after the user supplies all the input data.

After a user is authenticated, the user must be granted the rights and permissions to resources. The process is referred to as authorization.

The most popular forms of user identification include user IDs or user accounts, account numbers, and personal identification numbers (PINs).

Authentication methods are divided into five broad categories:

Knowledge factor authentication: Something a person knows

Ownership factor authentication: Something a person has or possesses

Characteristic factor authentication: Something a person is

Location factor authentication: Somewhere a person is

Time factor authentication: The time a person is authenticating

Authentication usually ensures that a user provide at least one factor from these categories, which is referred to as single-factor authentication. An example of this would be providing a username and password at login. Two-factor authentication ensures that the user provides two of the five factors. An example of two-factor authentication would be providing a username, password, and smart card at login. Three-factor authentication ensures that a user provides three factors. An example of three-factor authentication would be providing a username, password, smart card, and fingerprint at login. For authentication to be considered strong authentication, a user must provide factors from at least two different categories. (Note that the username is the identification factor, not an authentication factor.)

You should understand that providing multiple authentication factors from the same category is still considered single-factor authentication. For example, if a user provides a username, password, and the user’s mother’s maiden name, single-factor authentication is being used. In this example, the user is still only providing factors that are something a person knows.

Identity and Account Management

Identity and account management is vital to any authentication process. As a security professional, you must ensure that your organization has a formal procedure to control the creation and allocation of access credentials or identities. If invalid accounts are allowed to be created and are not disabled, security breaches will occur. Most organizations implement a method to review the identification and authentication process to ensure that user accounts are current. Questions that are likely to help in the process include:

Is a current list of authorized users and their access maintained and approved?

Are passwords changed at least every 90 days or earlier if needed?

Are inactive user accounts disabled after a specified period of time?

Any identity management procedure must include processes for creating (provisioning), changing and monitoring (reviewing), and removing users from the access control system (revoking). This is referred to as the provisioning life cycle. When initially establishing a user account, new users should be required to provide valid photo identification and should sign a statement regarding password confidentiality. User accounts must be unique. Policies should be in place that standardize the structure of user accounts. For example, all user accounts should be firstname.lastname or some other structure. This ensures that users within an organization will be able to determine a new user’s identification, mainly for communication purposes.

After creation, user accounts should be monitored to ensure that they remain active. Inactive accounts should be automatically disabled after a certain period of inactivity based on business requirements. In addition, any termination policy should include formal procedures to ensure that all user accounts are disabled or deleted. Elements of proper account management include the following:

Establish a formal process for establishing, issuing, and closing user accounts.

Periodically review user accounts.

Implement a process for tracking access authorization.

Periodically rescreen personnel in sensitive positions.

Periodically verify the legitimacy of user accounts.

User account reviews are a vital part of account management. User accounts should be reviewed for conformity with the principle of least privilege. (The principle of least privilege is explained later in this chapter.) User account reviews can be performed on an enterprise-wide, system-wide, or application-by-application basis. The size of the organization will greatly affect which of these methods to use. As part of user account reviews, organizations should determine whether all user accounts are active.

Password Types and Management

As mentioned earlier, password authentication is the most popular authentication method implemented today. However, password types can vary from system to system. Understanding all the types of passwords that can be used is vital.

The types of passwords that you should be familiar with include:

Standard word or simple passwords: As the name implies, these passwords consist of single words that often include a mixture of upper- and lowercase letters and numbers. The advantage of this password type is that it is easy to remember. A disadvantage of this password type is that it is easy for attackers to crack or break, resulting in a compromised account.

Combination passwords: This password type uses a mix of dictionary words, usually two unrelated words. These are also referred to as composition passwords. Like standard word passwords, they can include upper- and lowercase letters and numbers. An advantage of this password is that it is harder to break than simple passwords. A disadvantage is that it can be hard to remember.

Static passwords: This password type is the same for each login. It provides a minimum level of security because the password never changes. It is most often seen in peer-to-peer networks.

Complex passwords: This password type forces a user to include a mixture of upper- and lowercase letters, numbers, and special characters. For many organizations today, this type of password is enforced as part of the organization’s password policy. An advantage of this password type is that it is very hard to crack. A disadvantage is that it is harder to remember and can often be much harder to enter correctly than standard or combination passwords.

Passphrase passwords: This password type requires that a long phrase be used. Because of the password’s length, it is easier to remember but much harder to attack, both of which are definite advantages. Incorporating upper- and lowercase letters, numbers, and special characters in this type of password can significantly increase authentication security.

Cognitive passwords: This password type is a piece of information that can be used to verify an individual’s identity. This information is provided to the system by answering a series of questions based on the user’s life, such as favorite color, pet’s name, mother’s maiden name, and so on. An advantage to this type is that users can usually easily remember this information. The disadvantage is that someone who has intimate knowledge of the person’s life (spouse, child, sibling, and so on) might be able to provide this information as well.

One-time passwords: Also called a dynamic password, this type of password is only used once to log in to the access control system. This password type provides the highest level of security because passwords are discarded when they are used.

Graphical passwords: Also called CAPTCHA, which stands for Completely Automated Public Turing test to tell Computers and Humans Apart, passwords, this type of password uses graphics as part of the authentication mechanism. One popular implementation requires a user to enter a series of characters in the graphic displayed. This implementation ensures that a human is entering the password, not a robot. Another popular implementation requires the user to select the appropriate graphic for his account from a list of graphics given.

Numeric passwords: This type of password includes only numbers. Keep in mind that the choices of a password are limited by the number of digits allowed. For example, if all passwords are 4 digits, then the maximum number of password possibilities is 10,000, from 0000 through 9999. After an attacker realizes that only numbers are used, cracking user passwords would be much easier because the possibilities would be known.

Passwords are considered weaker than passphrases, one-time passwords, token devices, and login phrases. After an organization has decided which type of password to use, the organization must establish its password management policies.

Password management considerations include, but might not be limited to:

Password life: How long the password will be valid. For most organizations, passwords are valid for 60 to 90 days.

Password history: How long before a password can be reused. Password policies usually remember a certain number of previously used passwords.

Authentication period: How long a user can remain logged in. If a user remains logged in for the period without activity, the user will be automatically logged out.

Password complexity: How the password will be structured. Most organizations require upper- and lowercase letters, numbers, and special characters.

Password length: How long the password must be. Most organizations require 8–12 characters.

Password masking: Prevents a password from being learned through shoulder surfing by obscuring the characters entered except for the last one.

As part of password management, organizations should establish a procedure for changing passwords. Most organizations implement a service that allows users to automatically reset their password before the password expires. In addition, most organizations should consider establishing a password reset policy in cases where users have forgotten their password or passwords have been compromised. A self-service password reset approach allows users to reset their own passwords without the assistance of help desk employees. An assisted password reset approach requires that users contact help desk personnel for help in changing their passwords.

Password reset policies can also be affected by other organizational policies, such as account lockout policies. Account lockout policies are security policies that organizations implement to protect against attacks that are carried out against passwords. Organizations often configure account lockout policies so that user accounts are locked after a certain number of unsuccessful login attempts. If an account is locked out, the system administrator might need to unlock or re-enable the user account. Security professionals should also consider encouraging organizations to require users to reset their password if their account has been locked or after a password has been used for a certain amount of time (90 days for most organizations). For most organizations, all the password policies, including account lockout policies, are implemented at the enterprise level on the servers that manage the network. Account lockout policies are most often used to protect against brute-force or dictionary attacks.

Depending on which servers are used to manage the enterprise, security professionals must be aware of the security issues that affect user account and password management. Two popular server operating systems are Linux and Windows.

For Linux, passwords are stored in the /etc/passwd and /etc/shadow file. Because the /etc/passwd file is a text file that can be easily accessed, you should ensure that any Linux servers use the /etc/shadow file where the passwords in the file can be protected using a hash. The root user in Linux is a default account that is given administrative-level access to the entire server. If the root account is compromised, all passwords should be changed. Access to the root account should be limited only to systems administrators, and root login should only be allowed via a local system console, not remotely.

For Windows computers that are in workgroups, the Security Accounts Manager (SAM) stores user passwords in a hashed format. However, known security issues exist with a SAM, including the ability to dump the password hashes directly from the registry. You should take all Microsoft-recommended security measures to protect this file. If you manage a Windows network, you should change the name of the default Administrator account or disable it. If this account is retained, make sure that you assign it a password. The default Administrator account might have full access to a Windows server.

Synchronous and Asynchronous Token

The token device (often referred to as a password generator) is a handheld device that presents the authentication server with the one-time password. If the authentication method requires a token device, the user must be in physical possession of the device to authenticate. So although the token device provides a password to the authentication server, the token device is considered an ownership authentication factor because its use requires ownership of the device.

Two basic token device authentication methods are used: synchronous or asynchronous. A synchronous token generates a unique password at fixed time intervals with the authentication server. An asynchronous token generates the password based on a challenge/response technique with the authentication server, with the token device providing the correct answer to the authentication server’s challenge.

A token device is usually only implemented in very secure environments because of the cost of deploying the token device. In addition, token-based solutions can experience problems because of the battery lifespan of the token device.

Memory Cards

A memory card is a swipe card that is issued to valid users. The card contains user authentication information. When the card is swiped through a card reader, the information stored on the card is compared to the information that the user enters. If the information matches, the authentication server approves the login. If it does not match, authentication is denied.

Because the card must be read by a card reader, each computer or access device must have its own card reader. In addition, the cards must be created and programmed. Both of these steps add complexity and cost to the authentication process. However, it is often worth the extra complexity and cost for the added security it provides, which is a definite benefit of this system. However, the data on the memory cards is not protected, a weakness that organizations should consider before implementing this type of system. Memory-only cards are very easy to counterfeit.

Smart Cards

Similar to a memory card, a smart card accepts, stores, and sends data but can hold more data than a memory card. Smart cards, often known as integrated circuit cards (ICCs), contain memory like a memory card but also contain an embedded chip like bank or credit cards. Smart cards use card readers. However, the data on the smart card is used by the authentication server without user input. To protect against lost or stolen smart cards, most implementations require the user to input a secret PIN, meaning the user is actually providing both a knowledge (PIN) and ownership (smart card) authentication factor.

Two basic types of smart cards are used: contact cards and contactless cards. Contact cards require physical contact with the card reader, usually by swiping. Contactless cards, also referred to as proximity cards, simply need to be in close proximity to the reader. Hybrid cards are available that allow a card to be used in both contact and contactless systems.

For comparative purposes, security professionals should remember that smart cards have processing power due to the embedded chips. Memory cards do not have processing power. Smart card systems are much more reliable than memory card systems.

Smart cards are even more expensive to implement than memory cards. Many organizations prefer smart cards over memory cards because they are harder to counterfeit and the data on them can be protected using encryption.

Biometric technologies are now starting to creep into some of the most popular operating systems. Examples include Windows Hello and Apple’s Touch ID technology. As a security professional, you need to be aware of such new technologies as they are deployed to provide added security. Educating users on these technologies should also be a priority to ensure that users adopt these technologies as they are deployed.

Physiological Characteristics

Physiological systems use a biometric scanning device to measure certain information about a physiological characteristic. You should understand the following physiological biometric systems:

Fingerprint

Finger scan

Hand geometry

Hand topography

Palm or hand scans

Facial scans

Retina scans

Iris scans

Vascular scans

A fingerprint scan usually scans the ridges of a finger for matching. A special type of fingerprint scan called minutiae matching is more microscopic in that it records the bifurcations and other detailed characteristics. Minutiae matching requires more authentication server space and more processing time than ridge fingerprint scans. Fingerprint scanning systems have a lower user acceptance rate than many systems because users are concerned with how the fingerprint information will be used and shared.

A finger scan extracts only certain features from a fingerprint. Because a limited amount of the fingerprint information is needed, finger scans require less server space or processing time than any type of fingerprint scan.

A hand geometry scan usually obtains size, shape, or other layout attributes of a user’s hand but can also measure bone length or finger length. Two categories of hand geometry systems are mechanical and image-edge detective systems. Regardless of which category is used, hand geometry scanners require less server space and processing time than fingerprint or finger scans.

A hand topography scan records the peaks and valleys of the hand and its shape. This system is usually implemented in conjunction with hand geometry scans because hand topography scans are not unique enough if used alone.

A palm or hand scan combines fingerprint and hand geometry technologies. It records fingerprint information from every finger as well as hand geometry information.

A facial scan records facial characteristics, including bone structure, eye width, and forehead size. This biometric method uses eigenfeatures or eigenfaces. Neither of these methods actually captures a picture of a face. With eigenfeatures, the distance between facial features are measured and recorded. With eigenfaces, measurements of facial components are gathered and compared to a set of standard eigenfaces. For example, a person’s face might be composed of the average face plus 21% from eigenface 1, 83% from eigenface 2, and –18% from eigenface 3. Many facial scan biometric devices will use a combination of eigenfeatures and eigenfaces.

A retina scan scans the retina’s blood vessel pattern. A retina scan is considered more intrusive than an iris scan.

An iris scan scans the colored portion of the eye, including all rifts, coronas, and furrows. Iris scans have a higher accuracy than any other biometric scan.

A vascular scan scans the pattern of veins in the user’s hand or face. Although this method can be a good choice because it is not very intrusive, physical injuries to the hand or face, depending on which the system uses, could cause false rejections.

Behavioral Characteristics

Behavioral systems use a biometric scanning device to measure a person’s actions. You should understand the following behavioral biometric systems:

Signature dynamics

Keystroke dynamics

Voice pattern or print

Signature dynamics measure stroke speed, pen pressure, and acceleration and deceleration while the user writes his signature. Dynamic Signature Verification (DSV) analyzes signature features and specific features of the signing process.

Keystroke dynamics measure the typing pattern that a user uses when inputting a password or other predetermined phrase. In this case, even if the correct password or phrase is entered but the entry pattern on the keyboard is different, the user will be denied access. Flight time, a term associated with keystroke dynamics, is the amount of time it takes to switch between keys. Dwell time is the amount of time you hold down a key.

Voice pattern or print measures the sound pattern of a user stating a certain word. When the user attempts to authenticate, he will be asked to repeat those words in different orders. If the pattern matches, authentication is allowed.

Biometric Considerations

When considering biometric technologies, security professionals should understand the following terms:

Enrollment time: The process of obtaining the sample that is used by the biometric system. This process requires actions that must be repeated several times.

Feature extraction: The approach to obtaining biometric information from a collected sample of a user’s physiological or behavioral characteristics.

Accuracy: The most important characteristic of biometric systems. It is how correct the overall readings will be.

Throughput rate: The rate at which the biometric system will be able to scan characteristics and complete the analysis to permit or deny access. The acceptable rate is 6–10 subjects per minute. A single user should be able to complete the process in 5–10 seconds.

Acceptability: Describes the likelihood that users will accept and follow the system.

False rejection rate (FRR): A measurement of valid users that will be falsely rejected by the system. This is called a Type I error.

False acceptance rate (FAR): A measurement of the percentage of invalid users that will be falsely accepted by the system. This is called a Type II error. Type II errors are more dangerous than Type I errors.

Crossover error rate (CER): The point at which FRR equals FAR. Expressed as a percentage, this is the most important metric.

When analyzing biometric systems, security professionals often refer to a Zephyr chart that illustrates the comparative strengths and weaknesses of biometric system. However, you should also consider how effective each biometric system is and its level of user acceptance. The following is a list of the more popular biometric methods ranked by effectiveness, with the most effective being first:

1. Iris scan

2. Retina scan

3. Fingerprint

4. Hand print

5. Hand geometry

6. Voice pattern

7. Keystroke pattern

8. Signature dynamics

The following is a list of the more popular biometric methods ranked by user acceptance, with the methods that are ranked more popular by users being first:

1. Voice pattern

2. Keystroke pattern

3. Signature dynamics

4. Hand geometry

5. Hand print

6. Fingerprint

7. Iris scan

8. Retina scan

When considering FAR, FRR, and CER, smaller values are better. FAR errors are more dangerous than FRR errors. Security professionals can use the CER rate for comparative analysis when helping their organization decide which system to implement. For example, voice print systems usually have higher CERs than iris scans, hand geometry, or fingerprints.

Figure 5-1 shows the biometric enrollment and authentication process.

Geo-fencing is one example of the use of location factors. With geo-fencing, devices only operate correctly within the geo-fence boundaries. If a device enters or exits the geo-fenced area, an alert is generated and sent to the operator.

Separation of duties is associated with dual controls and split knowledge. With dual controls, two or more users are authorized and required to perform certain functions. For example, a retail establishment might require two managers to open the safe. Split knowledge ensures that no single user has all the information to perform a particular task. An example of a split control is the military’s requiring two individuals to each enter a unique combination to authorize missile firing.

The need-to-know principle is closely associated with the concept of least privilege. Although least privilege seeks to reduce access to a minimum, the need-to-know principle actually defines what the minimums for each job or business function are. Excessive privileges become a problem when a user has more rights, privileges, and permissions than he needs to do his job. Excessive privileges are hard to control in large environments.

A common implementation of the least privilege and need-to-know principles is when a systems administrator is issued both an administrative-level account and a normal user account. In most day-to-day functions, the administrator should use his normal user account. When the systems administrator needs to perform administrative-level tasks, he should use the administrative-level account. If the administrator uses his administrative-level account while performing routine tasks, he risks compromising the security of the system and user accountability.

Organizational rules that support the principle of least privilege include the following:

Keep the number of administrative accounts to a minimum.

Administrators should use normal user accounts when performing routine operations.

Permissions on tools that are likely to be used by attackers should be as restrictive as possible.

To more easily support the least privilege and need-to-know principles, users should be divided into groups to facilitate the confinement of information to a single group or area. This process is referred to as compartmentalization.

The most common directory service standards are

X.500

Lightweight Directory Access Protocol (LDAP)

X.400

Active Directory Domain Services (AD DS)

X.500 uses the directory access protocol (DAP). In X.500, the distinguished name (DN) provides the full path in the X.500 database where the entry is found. The relative distinguished name (RDN) in X.500 is an entry’s name without the full path.

Based on X.500’s DAP, LDAP is simpler than X.500. LDAP supports DN and RDN, but includes more attributes such as the common name (CN), domain component (DC), and organizational unit (OU) attributes. Using a client/server architecture, LDAP uses TCP port 389 to communicate. If advanced security is needed, LDAP over SSL communicates via TCP port 636.

X.400 is mainly for message transfer and storage. It uses elements to create a series of name/value pairs separated by semicolons. X.400 has gradually been replaced by Simple Mail Transfer Protocol (SMTP) implementations.

Microsoft’s implementation of LDAP is Active Directory Domain Services (AD DS), which stores and organizes directory data into trees and forests. It also manages logon processes and authentication between users and domains and allows administrators to logically group users and devices into organizational units.

The interface should be independent of the type of authentication information handled.

The creation, deletion, and modification of user accounts should be supported.

Support should be provided for a user to establish a default user profile.

They should be independent of any platform or operating system.

SSO provides many advantages and disadvantages when it is implemented.

Advantages of an SSO system include:

Users are able to use stronger passwords.

User and password administration is simplified.

Resource access is much faster.

User login is more efficient.

Users only need to remember the login credentials for a single system.

Disadvantages of an SSO system include:

After a user obtains system access through the initial SSO login, the user is able to access all resources to which he is granted access. Although this is also an advantage for the user (only one login needed), it is also considered a disadvantage because only one sign-on can compromise all the systems that participate in the SSO network.

If a user’s credentials are compromised, attackers will have access to all resources to which the user has access.

Although the discussion on SSO so far has been mainly on how it is used for networks and domains, SSO can also be implemented in web-based systems. Enterprise Access Management (EAM) provides access control management for web-based enterprise systems. Its functions include accommodation of a variety of authentication methods and role-based access control.

SSO can be implemented in Kerberos and Secure European System for Applications in a Multi-vendor Environment (SESAME) environments.

Kerberos assumes that messaging, cabling, and client computers are not secure and are easily accessible. In a Kerberos exchange involving a message with an authenticator, the authenticator contains the client ID and a timestamp. Because a Kerberos ticket is valid for a certain time, the timestamp ensures the validity of the request.

In a Kerberos environment, the Key Distribution Center (KDC) is the repository for all user and service secret keys. The client sends a request to the authentication server (AS), which might or might not be the KDC. The AS forwards the client credentials to the KDC. The KDC authenticates clients to other entities on a network and facilitates communication using session keys. The KDC provides security to clients or principals, which are users, network services, and software. Each principal must have an account on the KDC. The KDC issues a ticket-granting ticket (TGT) to the principal. The principal will send the TGT to the ticket-granting service (TGS) when the principal needs to connect to another entity. The TGS then transmits a ticket and session keys to the principal. The set of principles for which a single KDC is responsible is referred to as a realm.

Some advantages of implementing Kerberos include the following:

User passwords do NOT need to be sent over the network.

Both the client and server authenticate each other.

The tickets passed between the server and client are time stamped and include lifetime information.

The Kerberos protocol uses open Internet standards and is not limited to proprietary codes or authentication mechanisms.

Some disadvantages of implementing Kerberos include:

KDC redundancy is required if providing fault tolerance is a requirement. The KDC is a single point of failure.

The KDC must be scalable to ensure that performance of the system does not degrade.

Session keys on the client machines can be compromised.

Kerberos traffic needs to be encrypted to protect the information over the network.

All systems participating in the Kerberos process must have synchronized clocks.

Kerberos systems are susceptible to password-guessing attacks.

Figure 5-2 shows the ticket-issuing process for Kerberos.

SESAME uses Privileged Attribute Certificates (PACs) instead of tickets. It incorporates two certificates: one for authentication and one for defining access privileges. The trusted authentication server is referred to as the Privileged Attribute Server (PAS), which performs roles similar to the KDC in Kerberos. SESAME can be integrated into a Kerberos system.

In the cross-certification model, each organization certifies that every other organization is trusted. This trust is established when the organizations review each other’s standards. Each organization must verify and certify through due diligence that the other organizations meet or exceed standards. One disadvantage of cross certification is that the number of trust relationships that must be managed can become a problem. In addition, verifying the trustworthiness of other organizations can be time-consuming and resource intensive.

In the trusted third-party or bridge model, each organization subscribes to the standards of a third party. The third party manages verification, certification, and due diligence for all organizations. This is usually the best model if an organization needs to establish federated identity management relationships with a large number of organizations.

Security Assertion Markup Language (SAML) 2.0 is an SAML standard that exchanges authentication and authorization data between organizations or security domains. It uses an XML-based protocol to pass information about a principal between an SAML authority and a web service via security tokens. In SAML 2.0, there are three roles: the principal or user, the identity provider, and the service provider. The service provider requests identity verification from the identity provider. SAML is very flexible because it is based on XML. If an organization implements enterprise SAML identity federation, the organization can select which identity attributes to share with another organization.

Desktop sessions should be managed through a variety of mechanisms. Screensavers allow computers to be locked if left idle for a certain period of time. To reactivate a computer, the user must log back in. Screensavers are a timeout mechanism, and other timeout features may also be used, such as shutting down or placing a computer in hibernation after a certain period. Session or logon limitations allow organizations to configure how many concurrent sessions a user can have. Schedule limitations allow organizations to configure the time during which a user can access a computer.

Remote sessions usually incorporate some of the same mechanisms as desktop sessions. However, remote sessions do not occur at the computer itself. Rather, they are carried out over a network connection. Remote sessions should always use secure connection protocols. In addition, if users will only be remotely connecting from certain computers, the organization may want to implement some type of rule-based access that allows only certain connections.

The National Institute of Standards and Technology (NIST) has issued documents that provide guidance on proof of identity:

FIPS Publication 201.2, Personal Identity Verification (PIV) of Federal Employees and Contractors: This document specifies the architecture and technical requirements for a common identification standard for federal employees and contractors. This publication includes identification, security, and privacy requirements and personal identity verification system guidelines.

NIST 800-79-2, Guidelines for the Authorization of Personal Identity Verification Card Issuers (PCI) and Derived PIV Credential Issuers (DPCI): This document includes preparation guidelines, issuer control implementation guidelines, and issuer control life cycle guidelines.

Both of these NIST publications are intended to guide federal government agencies in their proof of identity efforts and can also be used by private organizations to aid in the development of their own systems.

Credential management systems allow organizations to establish an enterprise-wide user authentication and authorization framework. Organizations should employ security professionals to design, deploy, and manage secure credential management systems. The business requirements for a credential management system should include individual privacy protection guidelines, automated identity solutions, security, and innovation. Some of the guidelines of a credential management system include the following:

Use strong passwords.

Automatically generate complex passwords.

Implement password history.

Use access control mechanisms, including the who, what, how, and when of access.

Implement auditing.

Implement backup and restore mechanisms for data integrity.

Implement redundant systems within the credential management systems to ensure 24/7/365 access.

Implement credential management group policies or other mechanisms offered by operating systems.

When an organization implements a credential management system, separation of duties becomes even more important because the centralized credential management system can be used to commit fraud. Security professionals should provide guidance on how the separation should occur to best protect the organization and its assets.

To ensure that users are accountable for their actions, organizations could implement any combination of the following components:

Strong identification: Each user should have his or her own account. Group or role accounts cannot be traced back to a single individual.

Strong authentication: Multi-factor authentication is best. At minimum, two-factor authentication should be implemented.

Monitoring: User actions should be monitored, including login, privilege use, and other actions. Users should be warned as part of a no expectation of privacy statement that all actions can be monitored.

Audit Logs: Audit logs should be maintained and stored according to organizational security policies. Administrators should periodically review these logs.

Although organizations should internally implement these accountability mechanisms, they should also periodically have a third party perform audits and tests. This is important because the outside third party can provide objectivity that internal personnel often cannot provide.

When designing an auditing mechanism, security professionals should remember the following guidelines:

Develop an audit log management plan that includes mechanisms to control the log size, backup processes, and periodic review plans.

Ensure that the ability to delete an audit log is a two-man control that requires the cooperation of at least two administrators. This ensures that a single administrator is not able to delete logs that might hold incriminating evidence.

Monitor all high-privilege accounts (including all root users and administrative-level accounts).

Ensure that the audit trail includes who processed the transaction, when the transaction occurred (date and time), where the transaction occurred (which system), and whether the transaction was successful or not.

Ensure that deleting the log and deleting data within the logs cannot occur unless the user has the appropriate administrative-level permissions.

Audit trails detect computer penetrations and reveal actions that identify misuse. As a security professional, you should use the audit trails to review patterns of access to individual objects. To identify abnormal patterns of behavior, you should first identify normal patterns of behavior. Also, you should establish the clipping level, which is a baseline of user errors above which violations will be recorded. For example, your organization might choose to ignore the first invalid login attempt, knowing that initial failed login attempts are often due to user error. Any invalid login after the first would be recorded because it could be a sign of an attack. A common clipping level that is used is three failed login attempts. Any failed login attempt above the limit of three would be considered malicious. In most cases, a lockout policy would lock out a user’s account after this clipping level is reached.

Audit trails deter attacker attempts to bypass the protection mechanisms that are configured on a system or device. As a security professional, you should specifically configure the audit trails to track system/device rights or privileges being granted to a user and data additions, deletions, or modifications.

Finally, audit trails must be monitored, and automatic notifications should be configured. If no one monitors the audit trail, then the data recorded in the audit trail is useless. Certain actions should be configured to trigger automatic notifications. For example, you might want to configure an email alert to occur after a certain number of invalid login attempts because invalid login attempts might be a sign that a brute-force password attack is occurring.

If organizations consider IDaaS deployment, they should primarily be concerned with service availability, identity data protection, and trusting a third party with a critical business function. They should also be concerned with regulatory compliance. Moving identity management to the cloud brings up a whole host of questions for the organization regarding auditing, ensuring compliance of regulations, and what happens if disclosures occur.

An organization should perform a comprehensive risk analysis prior to deploying any IDaaS service. After performing the risk analysis, the organization should determine which identities should be placed on the IDaaS solution.

The access control models and concepts that you need to understand include the following:

Discretionary access control

Mandatory access control

Role-based access control

Rule-based access control

Content-dependent versus context-dependent access control

Access control matrix

Capabilities table

ACL

DAC can be an administrative burden because the data custodian or owner grants access privileges to the users. Under DAC, a subject’s rights must be terminated when the subject leaves the organization. Identity-based access control is a subset of DAC and is based on user identity or group membership.

Non-discretionary access control is the opposite of DAC. In non-discretionary access control, access controls are configured by a security administrator or other authority. The central authority decides which subjects have access to objects based on the organization’s policy. In non-discretionary access control, the system compares the subject’s identity with the objects’ ACL.

MAC is more secure than DAC. DAC is more flexible and scalable than MAC. Because of the importance of security in MAC, labeling is required. Data classification reflects the data’s sensitivity. In a MAC system, a clearance is a subject’s privilege. Each subject and object is given a security or sensitivity label. The security labels are hierarchical. For commercial organizations, the levels of security labels could be confidential, proprietary, corporate, sensitive, and public. For government or military institutions, the levels of security labels could be top secret, secret, confidential, and unclassified.

In MAC, the system makes access decisions when it compares the subject’s clearance level with the object’s security label.

RBAC is not as secure as the previously mentioned access control models because security is based on roles. RBAC usually has a much lower cost to implement than the other models and is popular in commercial applications. It is an excellent choice for organizations with high employee turnover. RBAC can effectively replace DAC and MAC because it allows you to specify and enforce enterprise security policies in a way that maps to the organization’s structure.

RBAC is managed in four ways. In non-RBAC, no roles are used. In limited RBAC, users are mapped to single application roles, but some applications do not use RBAC and require identity-based access. In hybrid RBAC, each user is mapped to a single role, which gives them access to multiple systems, but each user can be mapped to other roles that have access to single systems. In full RBAC, users are mapped to a single role as defined by the organization’s security policy, and access to the systems is managed through the organizational roles.

Context-dependent access control is based on subject or object attributes or environmental characteristics. These characteristics can include location or time of day. An example of this is if administrators implement a security policy that ensures that a user only logs in from a particular workstation during certain hours of the day.

Security experts consider a constrained user interface as another method of access control. An example of a constrained user interface is a shell, which is a software interface to an operating system that implements access control by limiting the system commands that are available. Another example is database views that are filtered based on user or system criteria. Constrained user interfaces can be content- or context-dependent based on how the administrator constrains the interface.

Capabilities Table

A capability corresponds to a subject’s row from an access control matrix. A capability table lists the access rights that a particular subject has to objects. A capability table is about the subject.

ACL

An ACL corresponds to an object’s column from an access control matrix. An ACL lists all the access rights that subjects have to a particular object. An ACL is about the object.

Figure 5-3 shows an access control matrix and how a capability and ACL are part of it.

Access control threats that you should understand include:

Password threats

Social engineering threats

DoS/DDoS

Buffer overflow

Mobile code

Malicious software

Spoofing

Sniffing and eavesdropping

Emanating

Backdoor/trapdoor

The best countermeasures against password threats are to implement complex password policies, require users to change passwords on a regular basis, employ account lockout policies, encrypt password files, and use password-cracking tools to discover weak passwords.

You should implement a security rule that says that a password must NOT be a word found in the dictionary to protect against these attacks. You can also implement an account lockout policy so that an account is locked out after a certain number of invalid login attempts.

The best countermeasure against social engineering threats is to provide user security awareness training. This training should be required and must occur on a regular basis because social engineering techniques evolve constantly.

Pharming is similar to phishing, but it actually pollutes the contents of a computer’s DNS cache so that requests to a legitimate site are actually routed to an alternate site.

Caution users against using any links embedded in email messages, even if the message appears to have come from a legitimate entity. Users should also review the address bar any time they access a site where their personal information is required to ensure that the site is correct and that SSL is being used, which is indicated by an HTTPS designation at the beginning of the URL address.

Organizations should implement policies for shredding documents that contain this information.

A distributed DoS (DDoS) attack is a DoS attack that is carried out from multiple attack locations. Vulnerable devices are infected with software agents, called zombies. This turns the vulnerable devices into botnets, which then carry out the attack. Because of the distributed nature of the attack, identifying all the attacking botnets is virtually impossible. The botnets also help to hide the original source of the attack.

To protect against this issue, organizations should ensure that all operating systems and applications are updated with the latest service packs, updates, and patches. In addition, programmers should properly test all applications to check for overflow conditions. Finally, programmers should use input validation to ensure that the data submitted is not too large for the buffer.

Organizations should ensure that users understand the security concerns of malicious mobile code. Users should only download mobile code from legitimate sites and vendors.

The following are the five classes of malware you should understand:

Virus: Any malware that attaches itself to another application to replicate or distribute itself.

Worm: Any malware that replicates itself, meaning that it does not need another application or human interaction to propagate.

Trojan horse: Any malware that disguises itself as a needed application while carrying out malicious actions.

Spyware: Any malware that collects private user data, including browsing history or keyboard input.

Ransomware: Any malware that prevents or limits a user’s access to his or her system or device. Usually it forces victims to pay the ransom for the return of system access.

The best defense against malicious software is to implement anti-virus and anti-malware software. Today most vendors package these two types of software in the same package. Keeping anti-virus and anti-malware software up to date is vital. This includes ensuring that the latest virus and malware definitions are installed.

A man-in-the-middle attack uses spoofing as part of the attack. Some security professionals consider phishing attacks as a type of spoofing attack.

Organizations should monitor and limit the use of sniffers. To protect against their use, you should encrypt all traffic on the network.

The TEMPEST program, initiated by the United States and UK, researches ways to limit emanations and standardizes the technologies used. Any equipment that meets TEMPEST standards suppresses signal emanations using shielding material. Devices that meet TEMPEST standards usually implement an outer barrier or coating, called a Faraday cage or Faraday shield. TEMPEST devices are most often used in government, military, or law enforcement.

Most established vendors no longer release devices or applications with this security issue. You should be aware of any known backdoors in the devices or applications you manage.

Deploy physical access controls for all systems and devices.

Control and monitor access to password files.

Encrypt password files.

Deploy an enterprise-wide strong password policy.

Deploy password masking on all operating systems and applications.

Deploy multi-factor authentication.

Deploy account lockout.

Deploy auditing for access controls.

Deploy a user account management policy to ensure that user accounts are created and removed as necessary.

Provide user security awareness training that specifically focuses on access control.

access control

access control list (ACL)

access control matrix

access control policy

authentication

authorization

backdoor

biometric acceptability

biometric accuracy

biometric throughput

brute-force attack

buffer overflow

capability table

centralized access control

characteristic factors

context-dependent access control

cross-certification federated identity model

crossover error rate

decentralized access control

Dictionary attack

discretionary access control (DAC)

dumpster diving

false acceptance rate (FAR)

false rejection rate (FRR)

federated identity

identification

Identity as a Service (IDaaS)

Kerberos

knowledge factors

least privilege

Lightweight Directory Access Protocol (LDAP)

location factors

logical control

mandatory access control (MAC)

multi-factor authentication

need-to-know

ownership factors

password masking

pharming

phishing

physical control

provisioning life cycle

ransomware

role-based access control (RBAC)

rule-based access control

Secure European System for Applications in a Multi-vendor Environment (SESAME)

Security Assertion Markup Language (SAML)

security domain

separation of duties

shoulder surfing

single-factor authentication

single sign-on (SSO)

spyware

trapdoor

Trojan horse

trusted third-party federated identity model

virus

vishing

whaling

worm

a. password

b. mother’s maiden name

c. city of birth

d. smart card

2. Which of the following statements about memory cards and smart cards is false?

a. A memory card is a swipe card that contains user authentication information.

b. Memory cards are also known as integrated circuit cards (ICCs).

c. Smart cards contain memory and an embedded chip.

d. Smart card systems are more reliable than memory card systems.

3. Which biometric method is most effective?

a. iris scan

b. retina scan

c. fingerprint

d. hand print

4. What is a Type I error in a biometric system?

a. crossover error rate (CER)

b. false rejection rate (FRR)

c. false acceptance rate (FAR)

d. throughput rate

5. Which access control model is most often used by routers and firewalls to control access to networks?

a. discretionary access control

b. mandatory access control

c. role-based access control

d. rule-based access control

6. Which threat is NOT considered a social engineering threat?

a. phishing

b. pharming

c. DoS attack

d. dumpster diving

7. Which of the following statements best describes an IDaaS implementation?

a. Ensures that any instance of identification and authentication to a resource is managed properly.

b. Collects and verifies information about an individual to prove that the person who has a valid account is who he or she claims to be.

c. Provides a set of identity and access management functions to target systems on customers’ premises and/or in the cloud.

d. It is an SAML standard that exchanges authentication and authorization data between organizations or security domains.

8. Which of the following is an example of multi-factor authentication?

a. username and password

b. username, retina scan, and smart card

c. retina scan and finger scan

d. smart card and security token

9. You decide to implement an access control policy that requires that users logon from certain workstations within your enterprise. Which type of authentication factor are you implementing?

a. knowledge factor

b. location factor

c. ownership factor

d. characteristic factor

10. Which threat is considered a password threat?

a. buffer overflow

b. sniffing

c. spoofing

d. brute-force attack

11. Which session management mechanisms are often used to manage desktop sessions?

a. screensavers and timeouts

b. FIPS 201.2 and NIST SP 800-79-2

c. Bollards and locks

d. KDC, TGT, and TGS

12. Which of the following is a major disadvantage of implementing an SSO system?

a. Users are able to use stronger passwords.

b. Users need to remember the login credentials for a single system.

c. User and password administration are simplified.

d. If a user’s credentials are compromised, attacker can access all resources.

13. Which type of attack is carried out from multiple locations using zombies and botnets?

a. TEMPEST

b. DDoS

c. Backdoor

d. Emanating

2. b. Memory cards are NOT also known as integrated circuit cards (ICCs). Smart cards are also known as ICCs.

3. a. Iris scans are considered more effective than retina scans, fingerprints, and hand prints.

4. b. A Type I error in a biometric system is false rejection rate (FRR). A Type II error in a biometric system is false acceptance rate (FAR). Crossover error rate (CER) is the point at which FRR equals FAR. Throughput rate is the rate at which users are authenticated.

5. d. Rule-based access control is most often used by routers and firewalls to control access to networks. The other three types of access control models are not usually implemented by routers and firewalls.

6. c. A denial-of-service (DoS) attack is not considered a social engineering threat. The other three options are considered to be social engineering threats.

7. c. An Identity as a Service (IDaaS) implementation provides a set of identity and access management functions to target systems on customers’ premises and/or in the cloud. Session management ensures that any instance of identification and authentication to a resource is managed properly. A proof of identity process collects and verifies information about an individual to prove that the person who has a valid account is who he or she claims to be.

8. b. Using username, retina scan, and a smart card is an example of multi-factor authentication. The username is something you know, the retina scan is something you are, and the smart card is something you have.

9. b. You are implementing location factors, which are based on where a person is located when logging in.

10. d. A brute-force attack is considered a password threat.

11. a. Desktop sessions can be managed through screensavers, timeouts, logon, and schedule limitations. Federal Information Processing Standards (FIPS) Publication 201.2 and NIST Special Publication 800-79-2 are documents that provide guidance on proof of identity. Physical access to facilities can be provided securely using locks, fencing, bollards, guards, and closed-circuit television (CCTV). In Kerberos, the key distribution center (KDC) issues a ticket-granting ticket (TGT) to the principal. The principal sends the TGT to the ticket-granting service (TGS) when the principal needs to connect to another entity.

12. d. If a user’s credentials are compromised in a single sign-on (SSO) environment, attackers have access to all resources to which the user has access. All other choices are advantages to implementing an SSO system.

13. b. A distributed DoS (DDoS) attack is a DoS attack that is carried out from multiple attack locations. Vulnerable devices are infected with software agents, called zombies. This turns the vulnerable devices into botnets, which then carry out the attack. Devices that meet TEMPEST standards implement an outer barrier or coating, called a Faraday cage or Faraday shield. A backdoor or trapdoor is a mechanism implemented in many devices or applications that gives the user who uses the backdoor unlimited access to the device or application. Emanations are electromagnetic signals that are emitted by an electronic device. Attackers can target certain devices or transmission mediums to eavesdrop on communication without having physical access to the device or medium.