Ch 3 - Identifying and Account Management

Identification, Authentication, and Authorization

Identification - claiming an identity (username)

Authentication - proving that identity

Multifactor Authentication (MFA) – using more than one factor for authentication

Authentication Factors - something you….

know - password / pin code
have - SmartCard / RSA Token #
are - biometrics (face scanner / retinal scanner / fingerprint)

Authentication Attributes - something you….

do - signature
exhibit - typing speed

someone you know - trust (certificate from a server)

somewhere you are - is it a suspicious location?

Authorization - allowed permissions

Copyright Robert Mathisen & Total Seminars 2023

Enabling Multifactor Authentication
- Identification and authentication allow for authorization on a system
- Accounting is the process of auditing, or accounting
for the activities of a user while they are on a system
- MFA is more secure than single-factor authentication

Identification and AAA…

Identification - trying to authenticate users with an additional factor
Authentication -
Authorization - permissions that are assigned after successful authentication
that can be realized by a user
Accounting - we want to be able to account for / audit the activity a user executed

Multifactor Authentication
something you…
know - have to know the PW
have - need your cell phone to receive a 6-digit code

Authorization
Authentication - the proving of ones identity (user, device, software, etc.)

After authentication, we get authorization to use a resource

Authorization….
Based on permissions granted
Determines resource permissions
Can only occur after authentication

Resources - targets that have permissions applied to them

files, database rows, web app, etc.

Accounting / Auditing….
Track permissions usage for accountability purposes
Who or what accessed which resource, for how long, and on what date?

Copyright Robert Mathisen & Total Seminars 2023

Accounting
- Accounting (or auditing) is the process of tracking user activity on a system
- Separate user accounts are important to assure accurate accounting
- Event (or accounting) logs can be used to identify unusual or malicious activity

AAA (Authentication, Authorization, Accounting)….

Accounting - often called Auditing

Track Activity
Must have separate user accounts for each user

Types of Auditing….
Resource Access
Failed Logon Attempts
Changes to Files / Database Records

Virtual Machines with a Public IP that have had attempted hacks….

If using the VM for Internal Services in the cloud,

and you’re having failed attempted logins, from IP Addrs you don’t recognize,
you might want to consider removing the Public IP and access via VPN

Copyright Robert Mathisen & Total Seminars 2023

Authentication Methods

Authentication Methods….

Username / PWs - security risk - both something you know and can be guessed
Common PWs are still widely used
Mitigation is to use different PWs for each resource

Password Vaults - PW Managers

LastPass, Cloud-based Vaults to store PW Keys
A Master Key protects the Vault (don’t forget it!)

One-Time Password (OTP) - unique PW (code) generated for a single use

Static code sent via email or SMS text
Software Notification Methods (push notification)
phone call, SMS text, email

Time-based OTP (TOTP) - code is valid for a short period of time

HMAC-based One-Time Password (HOTP) -

HMAC encrypts a hash to ensure authenticity

Certificate-based Authentication -
PKI Certificates - issued by a trusted authority to an individual identity
device, VPN, app access
Can be stored on a Smart Card (credit card size device)
Personal Identity Verification (PIV) card
PIV Card looks like a security badge
Common Access Card (CAC) - authenticate to everything

SSH Public Key Authentication -

Sign in with a Username & PW, as well as a Private Key
Public Key stored on Server
Private Key stored on Admin Device

Biometrics -
Fingerprint - Retina - Iris - Facial - Voice - Vein - Gait analysis
Efficacy Rates - False Acceptance rate
False Rejection rate
Crossover error rate

Copyright Robert Mathisen & Total Seminars 2023

Access Control Schemes
- Credential Policies - how credentials are managed & used to access resources
- Resource Permissions - can be based on user and
device attributes (ABAC), rules (RBAC), or roles (RBAC)
- Resource permissions can also be controlled via labels and security
clearance levels (MAC) or set by a resource custodian (DAC)

Credential Policies….
Defines who gets access to what
employees, contractors, devices, service accounts,
administrator / root accounts (Privileged Access Management - PAM)

Attribute-based Access Control (ABAC)….

Uses attributes to determine permissions
Date of Birth
Device Type

Role-based Access Control (RBAC)….

Role - a collection of related permissions
Role Occupants get permissions of the role

Rule-based Access Control (RBAC)….

uses Conditional Access Policies
MFA
Device Type
Location

Mandatory Access Control (MAC)….

Resources are Labeled
devices, files, databases, network ports, etc.
Permission assignments are based on
resource labels and security clearance

Discretionary Access Control (DAC)….

Data Custodian sets permissions at their discretion

Physical Access Control….

Limited Facility Access
access control vestibules, door locks, proximity cards, key fob, etc.

Copyright Robert Mathisen & Total Seminars 2023

Account Management
- Different types of user accounts can have different account policies applied
- Each user should have their own account
with only the permissions required to perform job tasks
- Password policies control password complexity, history, and expiration
- Assigning permissions to groups is scalable
- Geofencing uses the device's physical location to determine resource access

User Accounts….
Unique Account per User
Assign Permissions to Groups
Principle of Least Privilege
User Account Auditing
Disablement

Account Management….
Rights / Privileges
Account Types
user, device, service
administrator / root
privileged
guest

Account Policies….
Employee Onboarding
Password Policies
complexity, history, reuse
Account Lockout - great for protecting against brute force attacks
Geolocation - where a user is located
Geofencing - user geolocation determines resource access
Geotagging - adding location metadata to files and social media posts
Impossible Travel Time - sign in from New York,
then 10 min later sign in from California
Risky Login - is it normal to be logging in during the middle of the night
from eastern Europe trying to access a database?
A baseline of normal activity is required first.

Copyright Robert Mathisen & Total Seminars 2023

Network Authentication
- PAP and MS-CHAPv2 are older network authentication protocols
- NTLM is used for authentication in a Windows workgroup environment
- Kerberos - used for authentication & resource access
in an Active Directory environment
- Extensible Authentication Protocol (EAP) - an authentication framework
supporting many authentication standards
- RADIUS - uses a centralized authentication server
as opposed to an edge device performing authentication

Network Authentication Protocols….

Password Authentication Protocol (PAP)
Outdated
Cleartext Transmissions
very easy to see Usernames & PWs using WireShark!

Microsoft Challenge Handshake Authentication Protocol (MS-CHAPv2)

Client requests authentication from a Server
User is signing into an app / device using their credentials
Server sends a challenge to the Client
Client responds to challenge by hashing response with user’s PW
Serve compares response to its own computed hash
and authenticates if they match

Microsoft New Technology LAN Manager (NTLM)

Supersedes older LANMAN protocol (LAN Manager)
Used on Windows Workgroup computers
PW hashes with NTLM are not salted
When you salt a PW, you are adding some extra information
to make it more difficult to crack. Unsalted PWs are easy to crack.
NTLM v2 PWs are salted

Kerberos
Microsoft Active Directory authentication
Kerberos Key Distribution Center (KDC)
Authentication Service (AS)
Ticket-Granting Service (TGS)
Ticket-Granting Ticket (TGT)

Copyright Robert Mathisen & Total Seminars 2023

Extensible Authentication Protocol (EAP)
Network Authentication Framework
PKI Certificate authentication
Smart Card authentication
Uses TLS (transport layer security) Transport - encrypted secured
network communication when authentication occurs.
It is not in Cleartext.
Applies to wired and wireless networks

IEEE 802.1x - not to be mistaken with 802.11, which is wireless

Port-based Network Access Control
Centralized RADIUS Server Authentication
Wired & Wireless Network Edge Devices
Ethernet Switches
Wi-Fi Routers
VPN Appliances

Remote Access Dial-In User Service (RADIUS)

Centralized Authentication
RADIUS Client - network edge device
Network Switch
VPN Appliance
Wireless Router
RADIUS Supplicant - user with a device that’s trying to connect

RADIUS Variations
Terminal Access Controller Access Control System (TACACS)
Terminal Access Controller Access Control System Plus (TACACS+)
Extended TACACS (XTACACS)

Copyright Robert Mathisen & Total Seminars 2023

Identity Management Systems
- SSO - allows users to sign in once yet access many services
without re-entering credentials
- Identity federation uses a centralized, trusted identity provider that provides
authentication tokens consumed by other resources such as Web sites

Single Sign-On (SSO) - user credentials are not requested after initial authentication
Protocols - OpenID, Oauth

This allows you to sign into a web site using Google credentials.
If you’ve already signed into Google, the next time you go to this site,
you will be signed in automatically!

Identity Federation - multiple resources that trust a single authentication source

Centralized Trusted Identity Provider (IdP) - Google, Facebook, etc.
Trusted by Resource Provider (RP)
Security Assertion Markup Language (SAML)
SAML Token - digital security token that proves identity

The SAML Token

Copyright Robert Mathisen & Total Seminars 2023