CompTIA Security+ SY0-501 笔记
Chapter 2 Understanding Identity and Access Management
0. Mind Map
1. Identification & AAA
Identification occurs when users claim (or profess) their identity with identifiers, such as usernames or email addresses. Users then prove their identity with authentication, such as with a password. In this context, a user’s credential refers to both a claimed identity and authentication. It is worth noting that authentication is not limited to users, but services, processes, workstations, servers, and network devices all use authentication to prove their identities. Besides identification and authentication, authorization is also required, which is granted to users to ensure their accessing resources. Additionally, accounting methods are used to track user activity and record the activity in logs, which can be used to create an audit trail that allows security professionals to re-create the events that preceded a security incident.
2. Authentication Factors & Methods
Authentication is often simplified as types, or factors, of authentication. Dual-factor authentication (sometimes called two-factor authentication) uses two factors of authentication; while multifactor authentication uses two or more factors of authentication. Factors of authentication include:
2.1. Something You Know
The something you know authentication factor typically refers to shared secret, such as a password or even a PIN. This factor is the least secure form of authentication; however, security of a password can be increased by some methods, such as training users about password behaviours, implementing password policies, implementing account lockout policies. For training users, it is important to train them about creation of strong password (complexity+ length) and the importance of never giving out their passwords. For implementing account lockout policies, it is used by most organization to prevent users from guessing the password, and two key phrases associated with account lockout policies:
a. Account lockout threshold
This is the maximum number of times a user can enter the wrong password. When the user exceeds the threshold, the system locks the account automatically.
b. Account lockout duration
This indicates how long an account remains locked. It could be set to 30, indicating that the system will lock the account for 30 minutes and automatically unlock it after the duration. If the duration is set to 0, the account remains locked until an administrator unlocks it manually.
For implementing password policies, administrators use Group Policy, which is implemented on a domain controller within a domain, to create password policies and implement other security policies, settings, and configurations. There are following some components involved in password policies:
a. Enforce password history
Some users will go back and forth between two passwords that they constantly use and reuse, However, password history remembers past passwords and prevents the user from reusing previously used passwords.
b. Maximum password age
This setting defines when users must change their password, and it will force users to reset their password to a new one on the maximum password age.
c. Minimum password age
The minimum password age defines how long users must wait before changing their password again. This is useful with a password history to prevent users from changing their password multiple times until they get back to the original password.
d. Minimum password length
This setting enforces the character length of the password. It is common to require users to have passwords at least 14 characters long, but some organizations require administrators to have longer passwords.
e. Password must meet complexity requirements
This setting requires users to have complex passwords that include at least three of the four characters types (uppercase letters, lowercase letters, numbers, and special characters). Additionally, to ensure the complexity of passwords, some organizations require that passwords does not include words found in a dictionary or any part of a user’s name.
It is worth noting that if you make a password too complex, you make it less secure. This is because users have problems remembering overly complex passwords, and they are more likely to write them down, which significantly reduces security.
f. Store passwords using reversible(可逆的) encryption
Reversible encryption stores the password in such a way that the original password can be discovered. This is rarely enabled.
g. Effective password recovery
It’s not uncommon for users to occasionally forget their password, and resetting password is required. It is important to verify the user’s identity before resetting the password. There are several ways used in organizations currently, such as:
- Invoke an identity-proofing system that asks you questions that you pre-set.
- The system sends you a code, such as a six-digit PIN.
- The system sends you the resetting password link to your email.
If helpdesk is adopted to assist users to reset their password, the help-desk professional should set the password as a temporary password that expires upon first use, which allows users to set a new password again and reduce the possibility of password revealing.
2.2. Something You Have
The something you have authentication factor refers to something you can physically hold, and common items in the factor include:
a. Smart Card
Smart Card are credit card-size cards that have an embedded(嵌入的) microchip and a certificate. It is often used with dual-factor authentication. Users insert the smart card into a smart card reader, and the reader reads the information on the card, including the details from the certificate, which provides certificate-based authentication. There are two requirements for a smart card:
- Embedded certificate
The embedded certificate holds a user’s private key and is matched with a public key. The private key is used each time the user logs on to a network. - Public Key Infrastructure (PKI)
The PKI supports issuing and managing certificates.
There are two special types of smart card, which are: - Common Access Cards (CACs)
A CAC is a specialized type of smart card used by the U.S. Department of Defense, and besides the components and functions of normal smart cards, it also includes a picture of the user and other readable information. - Personal Identity Verification cards (PIVs)
Similarly, a PIV is a specialized type of smart card used by U.S. federal agencies, and it also includes photo identification and provides confidentiality, integrity, authentication and non-repudiation just as a CAC does.
b. Tokens & Key Fobs
A token or key fob (sometimes simply called a fob) is an electronic device about the size of a remote key for a car, and it includes a liquid crystal display (LCD) that displays a number, and this number changes periodically. These are sometimes called hardware tokens, while some software, such as VPN Access app, which plays the same role, is call software tokens. No matter hardware or software token, both of them need an algorithm to produce a one-time password (OTP) to complete the authentication, and there are two most commonly used open-source OTP standards, which are:
- HMAC-based One-Time Password (HOTP)
HOTP is an open standard used for creating one-time passwords, similar to those used in token or key fobs. The OTP created with HOTP is event based. The algorithm combines a secret key and an incrementing counter and uses HMAC to create a hash of the result. It then converts the result into an HOPT value of six to eight digits. - Time-based One-Time Password (TOTP)
A TOTP is similar to HOTP, but it uses a timestamp instead of a counter. OTP created with TOTP typically expire after 30 seconds.
2.3. Something You Are
The something you are authentication factor uses biometrics for authentication. Biometric methods are the strongest form of authentication because they are the most difficult for an attack to falsify.
a. Biometric Methods
Biometric systems use a two-step process. In the first step, users register with the authentication system. Later, when users want to access the system, they user their biometric feature registered to prove their identity. There are multiple types of biometrics:
- Fingerprint Scanner
Many laptop computer, tablet devices, mobile phone, and USB flash drives include a fingerprint. They can store multiple fingerprints of three or four people to share access to the same device. - Retina Scanner
Retina scanner scans the retina of one or both eyes and use the pattern of blood vessels at the back of the eye for recognition. - Iris Scanner
Iris scanner use camera technologies to capture the pattern of the iris around the pupil(瞳孔) for recognition. - Voice Recognition
Voice recognition methods identify who is speaking using speech recognition methods to identify different acoustic(声音的) features. The differences of voice of different persons come from their mouths, throats, and behavioural patterns that affect their speaking style. - Facial Recognition
Facial recognition systems identify people based on facial features, such as size of their face compared with the rest of their body, and the size, shape, and position of their eyes, nose, mouth, cheekbones, and jaw. A drawback of facial recognition is that the light would influence the results, but it can be avoided by using alternate lighting, such as infrared (IR), in diverse lighting conditions.
Iris and retina scans are the strongest biometric methods mentioned in the section, thought iris scan are used more than retina scans due to the privacy issue (retina scan can identify medical issues of users) and the scanning requirements (retina scan usually requires physical touch, but iris scan does not). Facial recognition is the most flexible, and it might become the most popular when using alternate lighting.
b. Biometric Errors & Evaluation
There are two rates used to describe the possibility of errors occurring when biometric methods used:
- False Acceptance Rate (FAR)
False accept occurs, when a biometric system incorrectly identifies an unauthorized user as an authorized user. FAR is used to identify the percentage of times false accept occurs. The more sensitive the biometric reader is, the lower FAR is. - False Rejection Rate (FRR)
False rejection occurs, when a biometric system incorrectly identifies an authorized user as an unauthorized user. FRR is used to identify the percentage of times false rejection occurs. The more sensitive the biometric reader is, the higher FRR is.
To describe the overall errors of a biometric system, we use crossover error rate (CER) to evaluate it, which is the point where the FAR crossed over with the FRR. A lower CER indicates that the biometric system is more accurate.
2.4. Somewhere You Are
Many authentication systems use the Internet Protocol (IP) address for geolocation. Within an organization, it is also possible to use computer name or the media access control (MAC) address of a system for the somewhere you are factor authentication.
2.5. Something You Do
The something you do authentication factor refers to actions you can take such as gestures(手势) on a touch screen. Gestures include tapping in specific places on the picture, drawing lines between items with a finger, or drawing a circle account an item. Another example of something you do include how you type. For example, keystroke dynamics measure the pattern and rhythm as a user types on a keyboard by measuring details such as speed, dwell time (the time a key is presses), and flight time (the time between releasing one key and pressing the next key).
3. Authentication Services
Several other authentication services are available that fall outside the scope of the described factors of authentication. The common goal they have is to ensure that unencrypted credentials are not sent across a network, because attacker can use tools such as a protocol analyser to capture and view traffic in network. The section describes some these services.
3.1. Kerberos
Kerberos is a network authentication mechanism used within Windows Active Directory domains and some Unix environments known as realms. Kerberos provides mutual authentication that can help prevent man-in-middle attacks and uses tickets to help prevent replay attacks. Kerberos includes several requirements for it to work properly. They are:
a. A method of issuing tickets used for authentication
The Key Distribution Centre (KDC) uses a complex process of issuing ticket-granting tickets (TGTs) and other tickets. The KDC (or TGT server) packages user credentials within a ticket. Tickets provide authentication for users when they access resources such as files on a file server. These tickets are sometimes referred to as tokens, but they are logical tokens, not key fob type of token discussed earlier.
b. Time synchronisation(同步)
Kerberos version 5 requires all systems to be synchronized and within five minutes of each other. The clock that provides the time synchronisation is used to timestamp tickets, ensuring they expire correctly. This help prevent replay attacks.
c. A database of subjects or users
In a Microsoft environment, this is Active Directory, but it could be any database of users.
When a user logs on with Kerberos, the KDC issues the user a ticket-granting ticket, which typically has a lifetime of 10 hours to be useful for single workday. When the user tries to access a resource, the ticket-granting ticket is presented as authentication, and the user is issued a ticket for the resource.
3.2. NTLM
New Technology LAN Manager (NTLM) is a suite of protocols that provide authentication, integrity, and confidentiality within Windows systems. At their most basic, they use Message Digital hashing algorithm to challenge users and check their credentials. There are three versions of NTLM:
- NTLM is a simple MD4 hash of a user’s password. MD4 has been cracked and neither NTLM nor MD4 are recommended for use today.
- NTLMv2 is a challenge-response authentication protocol. When a user attempts to log on, NTLMv2 creates an HMAC-MD5 hash composed of a combination of the username, the logon domain name (or computer name), the user’s password, the current time, and more. To create an HMAC-MD5 message, authentication code starts as the MD5 hash of a user’s password, which is then encrypted.
- NTLM2 Session improves NTLMv2 by adding in mutual authentication. In other words, the client authenticates with the server, and the server also authenticates with the client.
3.3. LDAP & LDAPS
Lightweight Directory Access Protocol (LDAP) specifies formats and methods to query directories, where a directory is a database of objects that provides a central access point to manage users, computers, and other directory objects. Windows domains use Active Directory, which is based on LDAP, and the queries to Active Directory use the LDAP format; while Unix realms use LDAP to identify objects. Administrators often use LDAP in scripts, but they need to have a basic understanding of how to identify objects.
For example, a user named Homer in the Users container within the GetCertifiedGetAhead.com domain is LDAP://CN=Homer,CN=Users,DC=GetCertifiedGetAhead,DC=com:
- CN=Homer
CN is short for common name - CN=Users
CN is sometimes referred to as container in this context - DC=GetCertifiedGetAhead
DC is short for domain component - DC=com
This is the second domain component in the domain name
LDAPS uses encryption to protect LDAP transmissions. When a client connects with a server using LDAPS, the two systems establish a Transport Layer Security (TLS) session before transmitting any data. TLS encrypts the data before transmission.
3.4. Single Sign-On
Single Sign-On (SSO) refers to the ability of a user to log on or access multiple systems by providing credentials only once. SSO increase security because the user only needs to remember one set of credentials and is less likely to write them down, and it also make users more convenient to access network resources. Kerberos and LDAP both include SSO capabilities. However, SSO requires strong authentication to be effective, or attackers might be easy to guess credentials and give them to access to multiple systems.
SSO requires a transitive trust within three or more systems, which creates an indirect relationship. And the figure below shows a transitive trust:
Security Assertion Markup Language (SAML) is an Extensible Markup Language (XML)-based data format used for SSO on web browsers. Many web-based portals use SAML for SSO. The user logs on to the portal once, and the portal then passes proof of the user’s authentication to back-end systems. Thus, as long as the user is authorized by the organization, he/she are not required to authenticate again to access other sites within the portal. SAML defines three roles:
a. Principal
This is typically a user. The user logs on once. If necessary, the principal requests an identity from the identity provider.
b. Identity Provider
An identity provider creates, maintains, and manages identity information for principal
c. Service Provider
A service provider is an entity that provides services to principals. When a principal tries to access a resource, the service provider redirects the principle to obtain an identity first.
Some SSO systems can connect authentication mechanisms from different environments, such as different operating systems or different networks. One common method is with a federated identity management system, often integrated as a federated database. The federated database provides central authentication in nonhomogeneous(多相的) environment. A federation requires a federated identity management system that all members of the federation use. Shibboleth is one of the federated identity solutions mentioned specifically in the CompTIA Security+ exam objectives, which is open source and freely available, and it also including Open SAML libraries written in C++ and Java, making it easier for developers to expand its usefulness.
OAuth is an open standard for authorization many companies use to provide secure access to protected resources. Instead of creating a different account for each web site you access, you can often use the same account that you’ve created with some popular third party, such as Google, Facebook, PayPal, Microsoft, or Twitter. Developers configure their web site to exchange application programming interface (API) calls between it and the third-party servers. OpenID Connect works with OAuth 2.0 and it allows clients (web sites/applications) to verify the identity of end users without managing their credentials. OpenID Connect provides identification services, without requiring the application to handle the credentials, and it also streamlines(简化使效率更高) the user experience for users.
4. Managing Accounts
Account management is concerned with the creation, management, disablement, and termination of accounts. There are some common practices, principles or policies for managing accounts:
4.1. Least Privilege
The principle of least privilege is an example of a technical control implemented with access control. Privilege are the rights and permissions assigned to authorized users, where rights refer to actions and include actions such as the right to change the system time, the right to install an application, etc; while permissions refer to permissions on files, such as read, write, modify, etc. Least privilege specifies that individuals and processes are granted only the rights and permissions needed to perform assigned tasks or functions, but no more. By doing so, the risks of the organization can be reduced.
4.2. Need to Know
The principle of need to know is similar to the principle of least privilege in that users are granted access only the data and information that they need to know for their job. Notice that need to know is focused on data and information, which is typically protected with permissions. In contrast, the principle of least privilege includes both rights and permissions.
4.3. Account Types
When managing accounts, it’s important to recognize the common types of accounts used within a network. They are:
a. End user Accounts
Most accounts are for regular users. Administrators create these accounts and then assign appropriate privileges based on the user’s job responsibilities.
b. Privileged Accounts
A privileged account has additional rights and privileges beyond what a regular user has.
c. Guest Accounts
Windows operating systems include a Guest Account, which are useful if you want to grant someone limited access to a computer or network without creating a new account. Administrators commonly disable the Guest Account and only enable it in special situation.
d. Service Accounts
Some application and services need to run under the context of an account and a service account fills this need. Note that this is like a regular end-user account, but the only difference is that it’s only used by the services or application instead of an end user. One of the challenges with service account is that they often are not managed.
4.4. Two Accounts for Administrators
It is common to require administrators to have two accounts. They use one end user account for regular day-to-day work and a privileged account assigned with privileges required to perform administrative work. The benefit of this practice is that it reduces the exposure of the administrative account to an attack as well as the risk to the administrative account for day-to-day work.
4.5. Standard Naming Convention
It’s common for an organization to adopt a standard naming convention to ensure user account names and email addresses are created similarly. You probably won’t need to design a naming convention; however, if you start with a different organization and you need to create accounts, you should understand that the organization probably has a naming convention in place, and you should follow the convention for any accounts you create.
4.6. Prohibiting Shared & Generic Accounts
Account management polices often dictate that personnel should not use shared or generic accounts; instead, each user has at least one account, which is only accessible to that user. By doing so, administrator can give users access to resources individually, or it is impossible to implement basic authorization controls. Also, using unique accounts allows administrators to check logs and know who took an action exactly.
4.7. Disable Policies
Many organizations have a disablement policy that specifies how to manage accounts in different situations. It worth noting that disabling is preferred over deleting an account, at least initially. Some contents of an account disablement policy include:
a. Terminated Employee
An account disablement policy specifies that accounts for ex-employees are disabled as soon as possible. This ensures a terminated employee doesn’t become a disgruntled ex-employee who wreaks(发泄) havoc(破坏) on the network.
b. Leave of Absence
If an employee will be absent for an extended period, the account should be disabled while the employee is away.
c. Delete Account
When the organization determines the account is no longer needed, administrators delete it.
4.8. Recovering Accounts
In some situations, administrators need to recover accounts. The two primary account recovery scenarios are:
a. Enable a disabled account
Administrators can reset the user’s password and take control of the account. Similarly, they pass control of the account to someone else, such as a supervisor or manager of an ex-employee. Administrators reset the user’s password, set it to expire on first use, and then give the password to another person.
b. Recover a deleted account
It is also possible to recover a deleted account. This is more complex than simply creating another account with the same name. Instead, administrators follow detailed procedures to recover the account.
4.9. Time-of-Day Restrictions
Time-of-day restrictions specify when users can log on to a computer. If a user tries to log on to the network outside the restricted time, the system denies access to the user. For example, a company operates between 8 am to 5 pm on a daily basis, and then the administrators might set time-of-day restrictions for user account as between 6 am to 8 pm.
4.10. Location-Based Policies
Location-based policies restrict access based on the location of the user, which is discussed in the ‘somewhere you are’ earlier.
4.11. Expiring Accounts and Recertification
It’s possible to set user accounts to expire automatically. When the account expires, the system disables it, and the user is no longer able to log on using the account. It is common to configure temporary accounts to expire.
4.12. Account Maintenance
Administrators routinely perform account maintenance, and this is often done with scripts to automate the process. By assistance of scripts, it is for administrators to filter accounts they need and operate them. For example, the administrator can use a script to filter account that should disable according to disablement policies but not yet and disable them automatically.
4.13. Credential Management
A credential is a collection of information that provides an identity (such as a username) and proves that identity (such as with a password). Credential management systems help users store these credentials securely. The goal of it is to simplify credential management for users, while also ensuring that unauthorized personnel do not have access to the users’ credentials.
5. Access Control Models
Access control ensures that only authenticated and authorized entities can access resources. This start by ensuring that users are accurately identified and authenticated. Then, administrators grant access using one of several different models. When using any of access control models, it is important to understand the following terms:
a. Subjects
Subjects are typically users or groups that access an object.
b. Objects
Object are items such as files, folders, shares, and printers that subjects access.
The following are some common access models:
5.1. Role-Based Access Control
Role-based access control (role-BAC) uses roles to manage rights and permissions for users. This is useful for users within a specific department who perform the same job functions. An administrator creates the roles and then assigns specific rights and permissions to the roles. When an administrator adds a user to a role, the user has all the rights and permissions of the role. (An example is SQL management) Another example is Microsoft Project Server. The Project Server can host multiple projects managed by different project managers. It include the following roles:
- Administrators
Administrators have complete access and control over everything on the server, including all of the projects managed on the server. - Executives
Executives can access data from any project held on the server, but not have access to modify system settings on the server. - Project Managers
Project managers have full control over their own projects, but do not have any control over projects owned by other project managers. - Team Managers
Team managers can typically report on work that project managers assign to them, but they have little access outside the scope of their assignments.
Role-BAC is also called hierarchy-based or job-based. For hierarchy-based, in the Project Server example, it is obvious that top-level roles have significantly more permissions than lower-level roles. For job-/task-/function-based, the Project Server example also shows how the roles are centred on job or function that users need to perform.
5.2. Rule-Based Access Control
Rule-Based Access Control (rule-BAC) uses rules. The most common example is with rules in routers or firewalls. However, more advanced implementation cause rules to trigger within applications too.
Routers and firewalls use rules within access control list (ACL), which define the traffic that the devices allow into the network. These rules are typically static, which means that administrators create the rules, and the rules stay the same unless an administrator changes them again. However, some rules are dynamic. For example, IDS can detect attacks, and then modify rules to block traffic from an attacker. In the case, the attack triggers a change in the rules.
5.3. Discretionary Access Control
In the discretionary access control (DAC) model, every object has an owner, and the owner establishes access for the objects. Many operating systems, such as Windows and most Unix-based systems, use the DAC model.
Microsoft systems identify users with security identifiers (SIDs), though you will rarely see a SID. A SID is a long string of characters that is meaningless to most people. Instead of the system displaying the SID, it looks up the name associated with the SID and displays the name. Similarly, Microsoft systems identify groups with a SID. Every object includes a discretionary access control list (DACL) that identifies who can access it in a system using DAC model.
An inherent(固有的) flaw associated with the DAC model is the susceptibility to Trojan horses. Trojan horses are executable files, which masquerade as something useful, but they include malware.
5.4. Mandatory Access Control
The mandatory access control (MAC) model uses labels (sometimes referred to as sensitivity labels or security labels) to determine access. Security administrators assign labels to both subjects and objects. When the labels match, the system can grant a subject access to an object, or MAC model blocks access. Military units make wide use of this model to protect data. Security-enhanced Linux (SELinux) is one of the few operating systems using MAC model. The MAC model uses different levels of security to classify both the users and the data. These levels are defined in a lattice(格子). The lattice can be a complex relationship between different ordered set of labels. The labels define the boundaries for the security levels. Higher level clearances include lower-level clearance. BUT it is worth noting that the use of MAC model should also be follow the ‘Need to Know’ principle.
5.5. Attribute-Based Access Control
An attribute-based access control (ABAC) evaluates attributes and grants access based on the value of these attributes. Attributes can be almost any characteristic of a user, the environment, or the resource. ABAC uses policies to evaluate attributes and grant access when the system detects a match in the policy. Many software defined networks (SDNs) use ABAC models. Instead of rules on physical routers, policies in the ABAC system control the traffic. Policy statements typically include four elements:
a. Subject
This is typically a user. You can use property as an attribute such as employment status, group members, job roles, logged-on status, and more.
b. Object
This is the resources that the user is trying to access.
c. Action
The action is what the user is attempting to do, such as reading or modifying a file, accessing specific web sites, and accessing web site applications.
d. Environment
The environment includes everything outside of the subject and object attributes. This is often referred to as the context of the access request, and communication method.
复习笔记基于Darril Gibson所著的Study Guide整理而成,仅供学习参考
来源:oschina
链接:https://my.oschina.net/u/4303989/blog/4759673