Occurs when users claim or profess their identity with identifiers such as usernames or email addresses
Authentication
Users prove their identity with a password
AAA
Authentication
Authorization
Accounting
Worked together with identification to provide a comprehensive access management system
Accounting
Message track user activity and record activity in logs
Audit trail
Allow security professionals to re-create the events that preceded a security incident
When does identification occur?
It occurs when a user claims an identity such as with a username or email address
When does authentication occur?
Authentication occurs when the user proves the claimed identity and the credentials are verified
What is the best way to provide accounting?
Logging
What is that something you know factor?
This factor typically refers to a shared secret such as a password or even a pen
This is the least secured form of authentication
What is a strong password?
Sufficient length
Doesn't include words found in the dictionary
Combines at least three of the following for character types
Complex passwords use a mix of character types. Strong passwords use a mixes character types and have a minimum password length of at least 14 characters
What needs to happen before resetting passwords for users?
Verify the user's identity
It is best to create a temporary password expires on the first use
What is a group policy?
Group policy is implemented on a domain controller with a domain
Administrators use it to create password policies implement security settings configure host-based firewalls and more
Password policy
Enforce password history
Maximum password age
Minimum password age
Minimum password length
Password must meet complexity requirements
Store password using reversible encryption
How do you prevent users from using the same password again?
Password history
How do you prevent users from guessing password?
Account lockout threshold
Account lockout duration
The first factor of authentication is the weakest factor
What is the something you have authentication factor?
This authentication factor refers to something you can physically hold
What is a smartcard?
Smart cards are credit card sized cards that have an embedded microchip and a certificate
What are two requirements for a smartcard?
Embedded certificate which holds a users private key
Public key infrastructure which supports issuing and managing the certificates
What is a CAC?
Common access card
Specialized types of smartcard used by the US department of defense
Includes a picture of the user and other readable information
Used to gain access into secure locations and to log onto computer systems
Personal identity verification card
specialized type of smartcard used by federal agencies
Includes photo identification and provides confidentiality integrity authentication and non-repudiation for the users
Smartcard is an example of two factor authentication
Token
In an electronic device about the size of a remote key for the car
Displays a number that expires every 60 seconds
This is used for authentication via a website
HOTP
Open standard used for creating one time passwords
Uses a hash
TOTP
Generates password that expires in 30 seconds
What is a significant benefit of one-time passwords?
Price
Dual factor authentication
HOTp and T OTP can be used as software tokens for authentication
What is the something you are authentication factor?
Uses biometrics for authentication
Biometric methods are the strongest form of authentication because they're the most difficult for an attacker to falsify
Fingerprint scanner
Usually used for identification not authentication
False acceptance
When a biometrics system incorrectly identifies an authorized user as an authorized user
False rejection
When a biometrics system incorrectly rejects an authorized user
What is that somewhere you are authentication factor?
Uses geolocation to identify a users location
What are the strongest biometric methods methods?
Iris and retina scans
Crossover error rates measure the accuracy of a system
What can a company implement to combat weak passwords?
A technical password policy
What can an organization due to combat forgotten passwords?
Password recovery procedure
kerberos
Network authentication mechanism used within Windows active directory domain and some UNIX environments known as realms
Provides mutual authentication that can help prevent men in the middle attacks and uses tickets to help prevent replay attacks
What are three requirements for kerberos?
Method of issuing tickets used for authentication
Time synchronization
A database of subjects or users
NTLM
New technology LAN manager
Suite of protocols that provide authentication integrity and confidentiality within Windows systems
LDAP
Lightweight directory access protocol
Specifies formats and message to query directories
LDAP is based on an earlier version of X.500
Windows active directory domains and unix realms use LDAP to identify objects in query strings with code such as CN DC
It also encrypts transmissions with TLS
SSO
Single-sign-on
The ability of a user to log on or access multiple systems by providing credentials only once
One set of credentials is used throughout a users entire session
This can be used for different operating systems
Transitive trust
Create an indirect trust relationship
Parent and child domain
SAML
Security assertion markup language
This is a language to establish trust
This is used to exchange authentication and authorization information between different parties
Three roles in SAML
Principal which is the typical user
Identity provider which creates maintains and manages identity information for the principal
Service providerprovides services to principals
For example redirecting the principal to obtaining in identity
How do you provide SSO for web-based applications?
Use security assertion markup language
Federation
This links and uses credentials from different networks or operating systems and treats it as one identity
This is useful for when parties want to access each others network but it is not feasible to join the networks
Shibboleth
One of the federated identity solutions period
More affordable solution then commercially available federated identity solutions
Makes it easy for developers to expand its usefulness
OAuth
Open standard for authorization many companies use to provide secure access to protected resources
Instead of creating a different account for each website you access you can often use the same account that you've created for different sites
OpenID Connect
Works OAUTH 2.0 and it allows clients to verify the identity of an uses without managing their credentials
For example logging in with Facebook to a site that personalizes for you
Least privilege
Lease privilege specifies that individuals and processes are granted only the Rights and permissions needed to perform assigned tasks or functions
Technical control
end user accounts
Accounts for a regular users
Privileged account
Has additional rights and privileges beyond what a regular user has
For example administrative account
Guest account
Useful for when you want to grab some unlimited access to a computer or network without creating a new account
Service account
Eight type of regular and user accounts that only is used by the service or application
For example SQL Server is a database application that runs on a server and it needs access to resources on the server and network
Requiring administrators to use two accounts one with administrator privileges and another with regular user privileges helps prevent privilege escalation attacks.
Users should not use shared accounts
Account disablement policy
Disabling accounts once an employee leaves
Security keys associated with into account remains available when the account is disabled but are no longer accessible if the account is deleted
What should a company implement if they only want users to access between 8 AM and 5 PM
Time of day restrictions
What should a company do if they are creating an account for a temporary contractor? Tab
Create an account expiration date for temporary account
What should a company do if users has many passwords?
Credential management
For example Google auto fill
Role-based access control (role-BAC)
Uses roles to manage rights and permissions for users
This is useful for users within a specific department who perform the same job functions
What does a company do if they want to simplify user administration?
Apply group-based access control which is control based on groups and roles
Group based privileges reduce the administrative work load of access management
Administrators put user accounts into groups and assign privileges to the groups
rule-based access control is based on what?
a set of approved instructions, such as an access control list
Some-ruleBAC systems use rules that trigger in response to an event, such as modifying access control lists after detecting an attack or granting additional permissions to a user in certain situations
DAC
Discretionary access control
every object has an owner, and the owner establishes access for the objects.
Unix and windows use this
for example microsoft rtfs allowing users and administrators to restrict access to files and folders with permissions