AAA from the Lens of ISM + Legal Aspects

Questions and Answers

What is the primary concern with authorization without auditing?

The authorizer may not be able to create access control policies

The authorizer may not be able to delegate tasks

The authorizer may not be aware of the authorizee's actions (correct)

The authorizer may not have the necessary permissions

Which technique is used for source of origin verification?

Message Encryption Codes

Message Authentication Codes (correct)

Digital Signature Verification

Identity Verification Tokens

What is the primary benefit of non-repudiation?

It provides a secure authentication mechanism

It enables delegation of tasks without auditing

It provides a reliable record of who did what (correct)

It allows for anonymous access control

Who is responsible for issuing verifiable credentials?

Credential Issuers

What is the purpose of delegation in access control?

To transfer accountability from the authorizer to the delegate

What is the primary goal of continuous authentication?

To create a continuous audit trail of user activities

What is the primary purpose of accountability in a system?

To ensure that the actions of an entity can be traced uniquely to that entity

What is the primary function of a reference monitor in access control?

To monitor and control access to system resources

What is the primary purpose of an audit trail in a system?

To log and record system events for accountability purposes

What is the primary function of an audit service in a system?

To records information needed to establish accountability for system events

What is the primary purpose of authentication in a system?

To ensure the identity of users and identity providers

What is the primary purpose of an audit policy in a system?

To define evidence to be collected, who can access, and who manages what

What is the primary purpose of identity management (IdM)?

To verify attribute assertions

What is a common challenge in managing devices for users?

Managing multiple devices at the same time

What is the benefit of using a federation to manage access control?

To authenticate entities across multiple systems

What is an example of a credential used to support authentication?

All of the above

What is the main advantage of federated identity management (FIM)?

It separates authentication and authorization

What is the primary benefit of single sign-on (SSO) capabilities?

It allows users to access resources at multiple systems by logging in once

Logs can be stored on external ______ such as hard disk, portable media.

memory

SIEM stands for ______ Information and Event Management.

Security

Identity management systems are responsible for the creation, use, and termination of electronic ______.

identities

Event logs are often managed as part of an SIEM system to facilitate ______ collection, storage, analysis, and exchanges.

data

CTI stands for ______ Threat Intelligence.

Cyber

An entity can have multiple ______.

identities

CTI can be made part of the SIEM system or be ______ managed.

separately

ISM deals with laws such as ______ laws, digital investigation laws, and online safety laws.

cybercrime

Authentication techniques are used to provide ______ for users.

accountability

Attributes are information bound to an entity that specifies a characteristic of the ______.

entity

Identity management is used for authentication, accountability, and ______.

authorization

ITUT defines identity management as a set of functions and capabilities used for assurance of ______ information.

identity

Digital Forensics & ______ used for establishing accountability.

eDiscovery

Security Operations Centre (SOC) is key in enabling ______ in org.

accountability

______ management involves identifying, classifying, prioritizing, and remediating vulnerabilities.

Vulnerability

Cyber Incident Management consists of Prepare, Handle, and ______ operations.

Follow Up

SIEM (Security Information and Event Management) is used for ______ and analysis of security-related data.

correlation

CSIRTs aka ______ / CITR = Cyber/Computer Security Incident Response Team.

CERT

Study Notes

Authentication and Authorization

• Authentication is between users and Identity Providers (IdPs)
• Authorization is between users and Service Providers (SPs)
• Users and SPs trust IdPs, but IdPs and SPs do not trust users

Access Control

• Access requester can be a user or non-user entity
• Reference monitor is the monitor of access policies

Accountability

• Property that ensures actions of an entity may be traced uniquely to that entity
• Needed for legal aspects, contract obligations, business needs, ethical requirements, social goods, and personal needs or wishes

Auditing

• Audit service: records information needed to establish accountability for system events and actions of system entities
• Security audit: independent review of system's records and activities to determine adequacy of system controls, ensure compliance with security policy, detect breaches, and recommend changes
• Audit trails are examples of control measurements recorded as part of system operations
• Audit policies define:
  • Evidence to be collected
  • Who can access
  • Who manage what
  • Investigations to be triggered
  • Post-incident actions
  • How staff training and communications should be organized
• Event logging: events include policy changes, database changes, configuration changes, login events, authorization events, resource access events, etc.

Risk-Based Authentication and Continuous Authentication

• Risk-based authentication: identifies audit trials that require more attention
• Continuous authentication: creates a continuous audit trial of each user during login

Authorisation and Accountability

• Authorisation without auditing is dangerous as the authorizer should be responsible for all authorisation decisions
• Accountability of the authorizer, policy makers, delegator, and delegate is necessary

Non-Repudiation

• Source of origin verification
• Techniques include MACs (message Authentication Codes) and digital certificates issued by trusted third parties (Certificate Authorities)

Identity Management (IdM)

• Verifying attribute assertions: entity claims to hold one or more specific attributes (identifier and others)
• Credentials support authentication of entities
• Examples: digital certificates, government-issued credentials, SIM cards, ATM cards
• Federated Identity Management (FIM): manages access control (authentication and authorization) across multiple systems and single sign-on (SSO)

Logging and Auditing

• Logs can be stored on external memory, main memory, cloud storage, database, remote service, special devices
• SIEM (Security Information and Event Management) facilitates data collection, storage, analysis, and exchange
• CTI (Cyber threat intelligence) provides useful data about cyber threats from different sources

Authentication Techniques

• Possession-based authentication: identifies hardware devices involved
• Inherence-based authentication: identifies people involved
• Context-based authentication: identifies contextual factors involved (e.g., geo-locations)

ISM Relevant Laws

• Cybercrime laws
• Digital investigation laws
• Online safety laws
• Information security laws
• Data protection and privacy laws
• Freedom of information laws

Entity vs Identity

• Many-to-many relationship: an entity can have multiple identities, and an identity can be claimed/used by multiple entities
• Identity Management systems manage (create, maintain, expire) identities including mappings to entities

Definitions of Identity Management

• NIST: creation, use, and termination of electronic identities
• ISO: processes and policies involved in managing the lifecycle and value, type, and optional metadata of attributes in identities
• ITU-T: set of functions and capabilities used for assurance of identity information and supporting business and security applications

Insider Threat Detection

• More than 50% of organizations have insider threats
• Types: malicious insiders, negligent insiders, unintentional insiders, infiltrators
• Involves monitoring and logging of all systems, including internal and external systems

Digital Forensics and eDiscovery

• Digital Forensics: scientific tasks, techniques, and practices used in the investigation of stored or transmitted binary information for legal purposes
• eDiscovery: discovery that includes the identification, preservation, collection, processing, review, analysis, or production of Electronically Stored Information

Security Operations Centre (SOC)

• Key in enabling accountability in organizations
• Activities include integration, management, and review of traffic feeds, protective monitoring, initial triage, and analysis, vulnerability management, alerting and response, incident management, root cause analysis, patching & remediation, correlation management, SIEM tuning, and continuous improvement

Cyber/Computer Security Incident Response Team (CSIRT) and Security Operations Centre (SOC)

• CSIRT: narrower scope than SOC, serves a single organization
• CSIRTs and SOCs work together and share resources

Information Sharing and Analysis Centre (ISAC)

• Enhances effectiveness and efficiency of the whole sector/nation/region's ISM and cyber incident response capabilities
• Example: NCSC

Description

Test your knowledge of information security and access control concepts, including risk-based authentication, continuous authentication, authorization, and accountability. Learn how to identify and mitigate security risks in user authentication and authorization processes.