Chapter 8 Identity and Access Management

Questions and Answers

What is the preferred method for deprovisioning accounts according to the provided information?

Completing access reviews

Deleting accounts completely (correct)

Archiving inactive accounts

Disabling accounts temporarily

What does 'Just-in-time (JIT)' permissions aim to prevent?

Ongoing access for users when not needed (correct)

Unauthorized access when accounts are disabled

Multiple logins by the same user

Frequent password changes

Which feature of Privileged Access Management (PAM) focuses on managing temporary permissions?

Account provisioning

Access reviews

Just-in-time (JIT) permissions (correct)

Password vaulting

What is a potential risk of simply disabling an account instead of deleting it?

It allows for the possibility of reenabled accounts for attacks

What is the main purpose of password vaulting in a PAM environment?

To allow access to privileged accounts without sharing passwords

Which of the following is NOT a feature associated with Privileged Access Management tools?

Unlimited strength password generation

What primary principle do PAM tools help maintain through their processes?

Principle of least privilege

How do PAM tools improve the auditing process for privileged accounts?

Through detailed reporting and monitoring capabilities

What is the primary focus of NIST regarding password security?

Length as the primary control

Which method is NOT classified as a biometric authentication?

Password entry

Which access control model allows users to control who can access certain resources?

Discretionary access control

What technique is often used by Privileged Access Management systems to better control access?

Just-in-time permissions

Which of the following methods is commonly used for multifactor authentication?

Software tokens

How do password vaults enhance password security?

By providing cryptographically secured storage

What feature is essential for identity verification in authentication?

The use of smartcards, tokens, or certificates

Which of the following is a characteristic of passwordless authentication?

It replaces passwords with secure tokens or applications

What is the primary purpose of password vaulting?

To allow privileged credentials to be checked out and create logged events

What defines an ephemeral account?

A temporary account with a short lifespan for specific purposes

Which access control model relies on a central authority to enforce security policies?

Mandatory Access Control (MAC)

Which of the following best describes authorization in the context of identity and access management?

Providing authenticated users with the rights needed to perform their roles.

In which scenario is Discretionary Access Control (DAC) commonly utilized?

Where file owners can assign permissions as needed

What is a characteristic of Mandatory Access Control (MAC) systems?

Control is enforced based on a security policy

What is the primary function of authentication in identity management?

To prove the identity of a user through various factors.

Which technologies are commonly associated with single sign-on (SSO) solutions?

OAuth, OpenID, and SAML

Which of the following is NOT a benefit of using password vaults?

Providing unlimited access to all users

What is critical for the successful implementation of ephemeral accounts?

Ensuring they are properly deprovisioned after use

How does multifactor authentication enhance security?

By requiring multiple forms of identity verification.

What is the purpose of accounting policies in user account management?

To define the lockout and disabling conditions for accounts.

An example of a high-security system that uses Mandatory Access Control is:

SELinux

Privileged access management is primarily concerned with:

Managing and monitoring the accounts with elevated privileges.

Federation in identity management allows users to:

Reuse the same identity across various relying party locations seamlessly.

What is a potential risk of improperly set filesystem permissions?

Exploitation by attackers to access unauthorized data.

What is the primary focus of privileged access management (PAM)?

Managing privileged accounts and rights

Which access control scheme uses user attributes to determine access rights?

Attribute-based access control (ABAC)

Which method allows users to control access to resources they own?

Discretionary access control (DAC)

Which technique in privileged access management allows temporary access for specific tasks?

Just-in-time permission granting

What distinguishes role-based access control (RBAC) from rule-based access control?

RBAC is based on user roles while rule-based relies on conditions

Which access control model relies on the system administrator to set permissions?

Mandatory access control (MAC)

Which of the following is NOT a component of privileged access management?

Permanent access rights

Which of the following schemes allows for flexible access rights based on predefined rules?

Rule-based access control

What is the primary function of the Extensible Authentication Protocol (EAP)?

Authentication framework for wireless networks

Which protocol enhances security through a three-way handshake and encrypted challenges?

CHAP

How does RADIUS enhance the security of passwords during transmission?

Through obfuscation with a shared secret and MD5 hash

What is a significant feature of TACACS+ compared to RADIUS?

It encrypts the full packet, not just the password.

Which role does LDAP play in the authentication process discussed?

It serves as a backend directory for identity information.

What distinguishes Kerberos from other authentication protocols mentioned?

It authenticates service requests between trusted hosts across untrusted networks.

Which standard is the 802.1X primarily associated with?

Network access control (NAC)

Which of the following statements best describes the operation of RADIUS?

It functions on a client-server model using either TCP or UDP.

What are the three main elements that comprise Kerberos users?

Primary, Instance, Realms

What does the TGT, issued by the authentication server, primarily provide?

Authentication for accessing service resources

How does a client use Kerberos to access a service after receiving the TGT?

The client sends the TGT to the TGS along with the resource name

What is the role of realms in the Kerberos authentication system?

To define the trust boundaries between different user groups

What is primarily encrypted using the secret key of the ticket-granting service (TGS)?

The ticket-granting ticket (TGT)

What is the primary function of an OpenID identity provider?

To redirect authentication requests from relying parties

What advantage does OAuth provide to users?

It allows selective sharing of user information without revealing credentials

Which of the following scenarios exemplifies typical use of OpenID?

Logging into a web application using 'Log in with Google' feature

What is a key characteristic of how relying parties interact with identity providers?

They send authentication requests and receive an assertion in response

How do tools that use OAuth typically operate in regard to user permissions?

They specify what data third-party applications can access based on permissions

What is a primary advantage of using Single Sign-On (SSO) systems?

Simplified user interactions with authentication

Which of the following technologies is NOT commonly associated with Single Sign-On (SSO)?

Transport Layer Security (TLS)

Which component is typically part of a directory service like LDAP?

Hierarchical organization of data

What is a potential drawback of implementing Single Sign-On (SSO) in high-security environments?

Requirement for a single privileged account

How does Security Assertion Markup Language (SAML) function in the context of SSO?

It provides a framework for exchanging credentials

What role does an identity provider play in the SSO framework utilizing SAML?

Issues SAML assertions to service providers

What is a characteristic feature of OpenID as an authentication standard?

Decentralized user authentication

Which of the following statements best describes the trade-off involved with implementing SSO systems?

Increased user productivity vs. decreased security boundaries

What does NIST recommend regarding password complexity requirements?

They should be avoided in favor of emphasizing length.

Which method does NIST recommend for storing passwords securely?

Employing salting and secure hashing methods.

What is a common reason organizations have stopped setting frequent password expiration dates?

They reduce the number of support calls to help desks.

What practice does NIST suggest regarding the inclusion of special characters in passwords?

They should be optional and not required.

Which of the following is NOT recommended by NIST for password management?

Setting high complexity for all passwords.

What is the recommended approach regarding pasting passwords into fields?

It should be allowed to improve usability.

How do organizations ensure that new passwords are secure against compromises?

By monitoring new passwords for common vulnerabilities.

What primary threat does NIST suggest organizations should be aware of in relation to authentication?

Risks associated with their specific context.

What does a Type I error in biometric systems represent?

Rejecting a legitimate biometric input

Which metric assesses how often an attack will succeed against a biometric system?

Imposter Attack Presentation Match Rate (IAPMR)

How does the Receiver Operating Characteristic (ROC) graphically represent the efficacy of a biometric system?

It compares False Rejection and False Acceptance rates.

What is the specified FRR threshold for certification by the FIDO Alliance?

3 percent of attempts

User acceptance of biometric systems is influenced by which of the following factors?

The physical manner in which the biometrics are collected

What does a decreased likelihood of false rejection typically cause in a biometric system?

Increased false acceptance rate

Why are backup methods necessary in biometric systems?

To accommodate users with unscannable biometrics

Which factor does the Imposter Attack Presentation Match Rate (IAPMR) aim to measure?

Frequency of successful attacks against the system

What is a key advantage of Role-based Access Control (RBAC) in an organizational context?

It simplifies the delegation of rights and permissions.

Which of the following is a disadvantage of Attribute-based Access Control (ABAC)?

It can be complex to manage due to flexibility.

Which access control model utilizes created rules to allow or deny access to objects?

Rule-based Access Control (RuBAC)

Which of the following best describes the principle of 'least privilege'?

Accounts should have the minimum permissions necessary to perform their job functions.

In which scenario would time-of-day restrictions be particularly useful?

When limiting access to a system only during business hours.

Which of the following best describes how Linux filesystem permissions are represented?

Using a string of letters flanked by numeric representations.

What primary function does the role assignment rule fulfill in RBAC systems?

It ensures subjects can only use permissions matching their assigned roles.

Which statement most accurately reflects the function of Mandatory Access Control (MAC)?

It relies on predefined security policies set by the system administrator.

What is a common example of role authorization in RBAC?

A user is denied access to resources despite holding a role.

Which limitation is often associated with discretionary access control (DAC)?

It allows users to override permissions arbitrarily.

Which of the following best describes the purpose of Just-in-time (JIT) permissions in Privileged Access Management?

To temporarily grant permissions only when needed and revoke them afterward.

What is a significant challenge posed by the implementation of Just-in-time (JIT) permissions?

They require additional steps for users to obtain necessary privileges.

How do password vaults enhance the management of privileged accounts in a PAM environment?

By providing access without users needing to know the passwords.

What is the primary characteristic of ephemeral accounts in a PAM context?

They are temporary accounts with limited lifespans tailored for specific purposes.

Which statement accurately describes Mandatory Access Control (MAC) systems?

Security policies are centrally determined and enforced by the operating system.

What is the major benefit of employing password vaulting as part of a PAM strategy?

It maintains a logged history of credential usage for audit trails.

What is a primary focus of implementing Privileged Access Management tools?

To maintain a least privilege principle by limiting user permissions.

What primary function do PAM tools serve in the context of auditing?

They enhance visibility and provide detailed audit capabilities for privileged accounts.

Study Notes

Privileged Access Management (PAM)

• PAM focuses on managing privileged accounts and their rights through techniques like just-in-time permissions and ephemeral accounts.
• Just-in-time (JIT) permissions are granted for specific tasks and revoked afterward to limit ongoing access.
• Password vaulting allows users to access privileged accounts without knowing passwords, keeping a logged record of usage.
• Ephemeral accounts have a limited lifespan, ideal for temporary access needs, ensuring timely deprovisioning.
• PAM tools ensure the principle of least privilege is maintained by limiting privileges to the minimum required for tasks.

Access Control Schemes

• Access control schemes determine user rights and include:
  • Attribute-based access control (ABAC): Uses user attributes for access determination.
  • Role-based access control (RBAC): Assigns permissions based on user roles.
  • Rule-based access control: Applies rules for access control, often confused with RBAC.
  • Mandatory access control (MAC): Centralized control enforced by the operating system, prevalent in high-security systems.
  • Discretionary access control (DAC): Users can grant permissions on objects, commonly used in personal computing.

Account Deprovisioning

• Limited deprovisioning may occur when accounts are modified, and it's often more secure to fully remove accounts rather than disable them.
• Deleted accounts eliminate risks of unauthorized reactivation, whereas disabled accounts can lead to security vulnerabilities.

Authentication Methods

• Multifactor authentication enhances security by combining factors like something you know (password), something you have (token), and something you are (biometric).
• Biometric authentication methods, such as fingerprints and facial recognition, can have accuracy issues.
• Password best practices have shifted towards emphasizing length over complexity in the context of increasing use of multifactor authentication.

Identity and Access Management

• Identity is foundational to security, established through authentication processes that often involve certificates, tokens, and smartcards.
• Authorization assigns necessary privileges to authenticated users based on their roles.
• A range of account types exists, including guest users, normal users, service accounts, and privileged accounts, each with specific policies governing their use.

Single Sign-On and Federation

• Single sign-on (SSO) enables users to log in once and access multiple systems with that identity.
• Federation allows users to utilize identities through service providers and relying parties across different platforms without needing separate accounts.
• Technologies like RADIUS, LDAP, and SAML facilitate the integration of identity and access management systems.

Filesystem Permissions

• Filesystem permissions control access to files, with operations such as read, write, and execute defined for users.
• Inadequate or ineffective permission settings can lead to security breaches, like directory traversal attacks.
• Secure filesystem permissions are crucial to prevent unauthorized data access and application execution.

EAP Authentication Framework

• EAP is an authentication framework commonly used for wireless networks.
• EAP is used by many different implementations including vendor-specific and open methods like EAP-TLS, LEAP, and EAP-TTLS.
• Each protocol implements EAP messages using its own messaging standards.

CHAP Authentication Protocol

• CHAP provides more security than earlier protocols like PAP.
• Uses an encrypted challenge and a three-way handshake to send credentials.

802.1X Network Access Control

• IEEE standard for network access control (NAC).
• Used for authentication for devices that want to connect to a network.
• Supplicants send authentication requests to authenticators like network switches, access points, or wireless controllers.
• Controllers connect to an authentication server, typically via RADIUS.
• RADIUS servers rely on a backend directory using LDAP or Active Directory for identity information.

RADIUS Authentication, Authorization, and Accounting (AAA) System

• One of the most common AAA systems for network devices, wireless networks, and other services.
• Operates via TCP or UDP and operates in a client-server model.
• Sends passwords obfuscated by a shared secret and MD5 hash, meaning that its password security is not strong.
• RADIUS traffic between the RADIUS network access server and the RADIUS server is typically encrypted using IPSec tunnels or other protections.

TACACS+ Authentication, Authorization, and Accounting (AAA) System

• Cisco-designed extension to TACACS, the Terminal Access Controller Access Control System.
• Uses TCP traffic for authentication, authorization, and accounting services.
• Provides full-packet encryption and granular command controls.

Kerberos Authentication Protocol

• Protocol for authenticating service requests between trusted hosts over an untrusted network like the Internet.
• Operates on untrusted networks.
• Uses authentication to shield its authentication traffic.
• Kerberos users are composed of three main elements: the primary (typically the username), the instance (helps differentiate similar primaries), and realms (groups of users).
• Realms are separated by trust boundaries and have distinct Kerberos key distribution centers (KDCs).
• When a client wants to use Kerberos to access a service, the client requests an authentication ticket, or ticket-granting ticket (TGT).
• An authentication server checks the client's credentials and responds with the TGT, which is encrypted using the secret key of the ticket granting service (TGS).
• When the client wants to use a service, it sends the TGT to the TGS (usually also the KDC) and includes the name of the resource it wants to use.
• The TGS sends back a valid session key for the service, and the client presents the key to the service to access it.

Single Sign-On (SSO)

• What is SSO? A system enabling users to access multiple services with a single login, simplifying authentication and authorization.
• Benefits: Simplifies user experience, reduces user friction, and enhances security.
• Drawbacks: Requires a trade-off in security boundaries, might require additional authentication steps for high-security environments.
• Common Examples: Logging into Google services, enterprise environments.

Directory Services

• LDAP (Lightweight Directory Access Protocol): A hierarchical database system used for managing identity and access information within organizations.
• Structure: Provides a structured view of organizational information, including user accounts, email addresses, phone numbers, and office locations.

SSO Technologies

• SAML (Security Assertion Markup Language): An XML-based open standard for exchanging authentication and authorization information between identity providers and service providers.
• OpenID: An open standard for decentralized authentication allowing users to leverage third-party identities for authentication. Examples include "Log in with Google", Microsoft, Amazon, and other major identity providers.
• OAuth: An open standard for authorization used by many websites, enabling users to control the information they share with third-party applications.
• OAuth Use Cases: Google Drive plug-ins requesting access to files or folders, web conferencing tools requesting access to a Google calendar.

Password Best Practices

• NIST Digital Identity Guidelines provide guidance on password best practices.
• Show Password feature should be enabled to prevent typos.
• Password managers are recommended for secure password storage.
• Salting and secure hashing methods should be used to securely store passwords.
• Account lockout after multiple failed attempts is crucial.
• Multi-factor authentication (MFA) is essential.
• Password complexity requirements should be reduced, focusing on length instead.
• Special characters should not be required in passwords.
• ASCII and Unicode characters should be allowed.
• Password pasting should be permitted to facilitate password manager usage.
• New passwords should be monitored to prevent weak password choices.
• Password hints should be eliminated to avoid potential vulnerabilities.

Password Security Threats

• Organizations should understand threats to authentication to implement effective defenses.
• Threats and risks to authentication may change over time.

Password Configuration Settings

• Password length is a key control against brute-force attacks.
• Password complexity influences attack complexity by forcing larger character sets.
• Password reuse limitations prevent users from reusing compromised passwords.
• Password expiration dates are often used but may create unnecessary support burdens.
• MFA can mitigate the need for frequent password changes.
• Password age settings prevent users from resetting passwords repeatedly to bypass reuse limitations.

Biometric System Assessment

• Type I Error (False Rejection Rate - FRR): A legitimate biometric measure is presented and the system rejects it.
• Type II Error (False Acceptance Rate - FAR): A biometric factor is presented and accepted when it shouldn't be.
• Receiver Operating Characteristic (ROC): Compares FRR and FAR, usually represented as a graph.
• Relationship between FRR and FAR: As you decrease the likelihood of false rejection, you increase the rate of false acceptance.
• Determining Accuracy: Balancing the minimization of false acceptance and prevention of false rejection is a crucial aspect of configuring biometric systems.

Evaluating Biometrics

• Efficacy Rate: Determines how well a biometric system performs its intended function - considering FAR and FRR.
• BioLevel1 Requirements (FIDO Alliance): Set the FRR threshold for acceptance at 3% of attempts and FAR at 0.01%.
• Imposter Attack Presentation Match Rate (IAPMR): Measures how often an attack successfully exploits the weaknesses of a biometric system.
• User Acceptance: Real-world usability, convenience, and acceptance are important considerations for widespread adoption of biometric systems.
• Example of User Acceptance Challenges: Retina scanners and early fingerprint scanners faced user acceptance issues due to inconvenience and limitations, highlighting the need for backup methods for some users.

Privileged Access Management (PAM)

• PAM tools help maintain the principle of least privilege by allowing administrators to assign only the minimum set of permissions required for a role or task.
• PAM tools offer granular controls, improved audit capabilities, enhanced visibility into privileged accounts, and comprehensive reports.
• Just-in-Time (JIT) Permissions: Grant temporary access that is automatically revoked when no longer needed. This prevents continuous access and reduces privilege creep, but requires an extra step for users to obtain permissions. Users typically employ a console to "check out" permissions.
• Password Vaulting: A PAM technique that enables users to access privileged accounts without needing to know the passwords. It usually allows for the "checking out" of credentials as needed, creating an auditable log for credential usage. Password vaults also serve as a backup for emergencies and account outages.
• Ephemeral Accounts: Temporary user accounts with restricted lifespans. They are useful for scenarios like guest access or specific tasks where users need access for a limited time and should not have permanent accounts. They must be properly configured with an appropriate lifespan and automated deprovisioning for successful implementation.

Access Control Schemes

• Mandatory Access Control (MAC): Security policy administrators enforce access control rules through the operating system. Users cannot grant access to files or change security policies, ensuring centralized control. MAC has traditionally been used in government and military systems, but now finds application in high-security systems like SELinux and Windows Mandatory Integrity Control (MIC). It is less common than DAC.
• Discretionary Access Control (DAC): Commonly implemented on personal computers, DAC allows owners of files and directories to determine access rights and permissions for others. This flexibility enables owners to grant or deny access as they see fit. Linux file permissions exemplify this, where owners can set permissions for the owner, group, and "world," dictating read, modify, and execute privileges.
• Role-Based Access Control (RBAC): Based on assigning roles to users and granting access based on those roles. This is popular in enterprises, allowing for quick categorization of employees (e.g., cashier, database administrator) and granting appropriate access to systems and data. RBAC operates on three fundamental rules:
  • Role Assignment: Users can only exercise permissions associated with the roles they have been assigned.
  • Role Authorization: Users' active roles must be authorized for their specific tasks, preventing them from assuming unauthorized roles.
  • Permission Authorization: Users can only access resources allowed by their active roles.
• Rule-Based Access Control (RBAC): Also known as RuBAC, this scheme uses rules or Access Control Lists (ACLs) to control access to resources. When an attempt is made to access a resource, the rule is checked for authorization. A common example is firewall rulesets.
• Attribute-Based Access Control (ABAC): Relies on policies based on user attributes. This allows for complex rulesets that grant rights based on combinations of user attributes, providing flexibility and context-based access control. While highly flexible, ABAC can be complex to manage effectively. ABAC is commonly used in application security, especially for enterprise systems with complex user roles and permissions that vary based on user interactions. They are also utilized in databases, content management systems, microservices, and APIs.

Additional Access Control Concepts

• Time-of-Day Restrictions: Limit when activities can occur. In Windows, logon hours can be set via Active Directory, defining the time periods when users or groups can login. This helps prevent abuse of user accounts and system access outside of regular work hours.
• Least Privilege: Ensures that accounts and users are granted only the minimum set of permissions required for their role or job function. This fundamental security principle should be integrated into all access control schemes and permission settings.

Filesystem Permissions

• Filesystem permissions govern which accounts, users, groups, or services can perform actions like reading, writing, and executing files. They are crucial for controlling file access on operating systems.
• Operating systems have unique filesystem permission schemes. Familiarize yourself with both Linux and Windows permissions in preparation for exams.
• Linux filesystem permissions are represented in file listings by the letters "drwxrwxrwx" (directory, user, group, world/other permissions), indicating read, write, and execute privileges for each category. Linux uses a numeric representation frequently used for shorthand with the chmod command for changing permissions.

Description

Test your knowledge on privileged access management, focusing on accounts, rights, and access control schemes. This quiz covers key concepts like just-in-time permission granting and various access control models including ABAC and RBAC.