CISSP - Domain 5: Identity and Access Management
Capability tables list the privileges assigned to subjects and identify the objects that
subjects can access. Access control lists are object-focused rather than subject-focused
Kerberos encrypts messages using secret keys, providing protection for authentication
traffic. The KDC both is a single point of failure and can cause problems if compromised
because keys are stored on the KDC that would allow attackers to impersonate any user.
Kerberos, Active Directory Federation Services (ADFS), and Central Authentication
Services (CAS) are all SSO implementations. RADIUS is not a single sign-on implementation
When the owner of a file makes the decisions about who has rights or access privileges
to it, they are using discretionary access control. Role-based access controls would grant
access based on a subject’s role, while rule-based controls would base the decision on a set
of rules or requirements. Nondiscretionary access controls apply a fixed set of rules to an
environment to manage access. Nondiscretionary access controls include rule-, role-, and
lattice-based access controls.
Mandatory access control systems are based on a lattice-based model. Lattice-based
models use a matrix of classification labels to compartmentalize data. Discretionary access
models allow object owners to determine access to the objects they control, role-based
access controls are often group based, and rule-based access controls like firewall ACLs
apply rules to all subjects they apply to.
Mandatory access controls use a lattice to describe how classification labels relate
to each other. RBAC could be either rule- or role-based access control and would use
either system-wide rules or roles. Task-based access control (TBAC) would list tasks
for users.
RADIUS is an AAA protocol used to provide authentication and authorization; it’s
often used for modems, wireless networks, and network devices. It uses network access
servers to send access requests to central RADIUS servers. Kerberos is a ticket-based
authentication protocol; OAuth is an open standard for authentication allowing the use
of credentials from one site on third-party sites; and EAP is the Extensible Authentication
Protocol, an authentication framework often used for wireless networks
Resource-based access controls match permissions to resources like a storage volume.
Resource-based access controls are becoming increasingly common in cloud-based
infrastructure as a service environments. The lack of roles, rules, or a classification system
indicate that role-based, rule-based, and mandatory access controls are not in use here
Default setting of RADIUS is to use UDP and only encrypts passwords. RADIUS supports TCP
and TLS, but this is not a default setting.
Organizations that have very strict security requirements that don’t have a tolerance
for false acceptance want to lower the false acceptance rate (FAR), to be as near to zero
as possible. That often means that the false rejection rate (FRR), increases. Different
biometric technologies or a better registration method can help improve biometric
performance, but false rejections due to data quality are not typically a concern with
modern biometric systems. In this case, knowing the crossover error rate (CER) or
having a very high CER doesn’t help the decision.
Biometric systems can face major usability challenges if the time to enroll is long
(over a couple of minutes) and if the speed at which the biometric system is able to scan
and accept or reject the user is too slow. FAR and FRR may be important in the design
decisions made by administrators or designers, but they aren’t typically visible to users.
CER and ERR are the same and are the point where FAR and FRR meet. Reference profile
requirements are a system requirement, not a user requirement.
Service Provisioning Markup Language, or SPML, is an XML-based language
designed to allow platforms to generate and respond to provisioning requests. SAML is
used to make authorization and authentication data, while XACML is used to describe
access controls. SOAP, or Simple Object Access Protocol, is a messaging protocol and
could be used for any XML messaging but is not a markup language itself
Port 636 is the default port for LDAP-S, which provides LDAP over SSL or TLS, thus
indicating that the server supports encrypted connections. Since neither port 3268 nor
3269 is mentioned, we do not know if the server provides support for a global catalog
The X.500 series of standards covers directory services. Kerberos is described in RFCs;
biometric systems are covered by a variety of standards, including ISO standards; and
provisioning standards include SCIM, SPML, and others.
SCIM - System for Cross-domain Identity Management
X.500 - Directory Services
X.509 - Digital Certificates
Active Directory Domain Services is based on LDAP, the Lightweight Directory Access
Protocol. Active Directory also uses Kerberos for authentication
Biometric Errors are of two types:
Type 1 errors occur when a valid subject is not authenticated; if the existing customer
was rejected, it would be a Type 1 error. Type 2 errors occur in biometric systems
when an invalid subject is incorrectly authenticated as a valid user. In this case,
nobody except the actual customer should be validated when fingerprints are scanned.
Firewalls use rule-based access control, or Rule-BAC, in their access control lists
and apply rules created by administrators to all traffic that pass through them. DAC, or
discretionary access control, allows owners to determine who can access objects they
control, while task-based access control lists tasks for users. MAC, or mandatory access
control, uses classifications to determine access
Administrative access controls are procedures and the policies from which they
derive. They are based on regulations, requirements, and the organization’s own policies.
Corrective access controls return an environment to its original status after an issue, while
logical controls are technical access controls that rely on hardware or software to protect
systems and data. Compensating controls are used in addition to or as an alternative to
other controls.
When clients perform a client service authorization, they send a TGT and the ID of
the requested service to the TGS, and the TGS responds with a client-to-server ticket and
session key back to the client if the request is validated
A. Knowledge-based authentication relies on preset questions such as “What is your pet’s
name?” and the answers. It can be susceptible to attacks because of the availability of the
answers on social media or other sites. Dynamic knowledge-based authentication relies
on facts or data that the user already knows that can be used to create questions they can
answer on an as-needed basis (for example, a previous address, or a school they attended).
An access control matrix is a table that lists objects, subjects, and their privileges.
Access control lists focus on objects and which subjects can access them. Capability tables
list subjects and what objects they can access.
OpenID Connect is a RESTful, JSON-based authentication protocol that, when paired
with OAuth, can provide identity verification and basic profile information. SAML is the
Security Assertion Markup Language, Shibboleth is a federated identity solution designed
to allow web-based SSO, and Higgins is an open-source project designed to provide users
with control over the release of their identity information.
Synchronous soft tokens, such as Google Authenticator, use a time-based algorithm
that generates a constantly changing series of codes. Asynchronous tokens typically
require a challenge to be entered on the token to allow it to calculate a response, which
the server compares to the response it expects. Smartcards typically present a certificate
but may have other token capabilities built in. Static tokens are physical devices that can
contain credentials and include smart cards and memory cards
Asynchronous tokens use a challenge/response process in which the system sends a
challenge and the user responds with a PIN and a calculated response to the challenge.
The server performs the same calculations, and if both match, it authenticates the user.
Synchronous tokens use a time-based calculation to generate codes. Smart cards are paired
with readers and don’t need to have challenges entered, and RFID devices are not used for
challenge/response tokens.
The crossover error rate is the point where false acceptance rate and false rejection rate
cross over and is a standard assessment used to compare the accuracy of biometric devices
The Simple Authentication and Security Layer (SASL) for LDAP provides support for a
range of authentication types, including secure methods. Anonymous authentication does
not require or provide security, and simple authentication can be tunneled over SSL or TLS
but does not provide security by itself. S-LDAP is not an LDAP protocol
Allowing the relying party to provide the redirect to the OpenID provider could allow
a phishing attack by directing clients to a fake OpenID provider that can capture valid
credentials. Since the OpenID provider URL is provided by the client, the relying party
cannot select the wrong provider. The relying party never receives the user’s password,
which means that they can’t steal it. Finally, the relying party receives the signed assertion
but does not send one.
Drives in a RAID-5 array are intended to handle failure of a drive. This is an example
of a recovery control, which is used to return operations to normal function after a failure.
Administrative controls are policies and procedures. Compensation controls help cover for
issues with primary controls or improve them. Logical controls are software and hardware
mechanisms used to protect resources and systems
Diameter was designed to provide enhanced, modern features to replace RADIUS.
Diameter provides better reliability and a broad range of improved functionality
RADIUS—including support for additional commands and protocols, replacing UDP traffic
with TCP, and providing for extensible commands
Kerberos relies on properly synchronized time on each end of a connection to function.
If the local system time is more than five minutes out of sync, valid TGTs will be invalid
and the system won’t receive any new tickets
The default ports for SSL/TLS LDAP directory information and global catalog services
are 636 and 3269, respectively. Unsecure LDAP uses 389, and unsecure global directory
services use 3268.
subjects can access. Access control lists are object-focused rather than subject-focused
Kerberos encrypts messages using secret keys, providing protection for authentication
traffic. The KDC both is a single point of failure and can cause problems if compromised
because keys are stored on the KDC that would allow attackers to impersonate any user.
Kerberos, Active Directory Federation Services (ADFS), and Central Authentication
Services (CAS) are all SSO implementations. RADIUS is not a single sign-on implementation
When the owner of a file makes the decisions about who has rights or access privileges
to it, they are using discretionary access control. Role-based access controls would grant
access based on a subject’s role, while rule-based controls would base the decision on a set
of rules or requirements. Nondiscretionary access controls apply a fixed set of rules to an
environment to manage access. Nondiscretionary access controls include rule-, role-, and
lattice-based access controls.
Mandatory access control systems are based on a lattice-based model. Lattice-based
models use a matrix of classification labels to compartmentalize data. Discretionary access
models allow object owners to determine access to the objects they control, role-based
access controls are often group based, and rule-based access controls like firewall ACLs
apply rules to all subjects they apply to.
Mandatory access controls use a lattice to describe how classification labels relate
to each other. RBAC could be either rule- or role-based access control and would use
either system-wide rules or roles. Task-based access control (TBAC) would list tasks
for users.
RADIUS is an AAA protocol used to provide authentication and authorization; it’s
often used for modems, wireless networks, and network devices. It uses network access
servers to send access requests to central RADIUS servers. Kerberos is a ticket-based
authentication protocol; OAuth is an open standard for authentication allowing the use
of credentials from one site on third-party sites; and EAP is the Extensible Authentication
Protocol, an authentication framework often used for wireless networks
Resource-based access controls match permissions to resources like a storage volume.
Resource-based access controls are becoming increasingly common in cloud-based
infrastructure as a service environments. The lack of roles, rules, or a classification system
indicate that role-based, rule-based, and mandatory access controls are not in use here
Default setting of RADIUS is to use UDP and only encrypts passwords. RADIUS supports TCP
and TLS, but this is not a default setting.
Organizations that have very strict security requirements that don’t have a tolerance
for false acceptance want to lower the false acceptance rate (FAR), to be as near to zero
as possible. That often means that the false rejection rate (FRR), increases. Different
biometric technologies or a better registration method can help improve biometric
performance, but false rejections due to data quality are not typically a concern with
modern biometric systems. In this case, knowing the crossover error rate (CER) or
having a very high CER doesn’t help the decision.
Biometric systems can face major usability challenges if the time to enroll is long
(over a couple of minutes) and if the speed at which the biometric system is able to scan
and accept or reject the user is too slow. FAR and FRR may be important in the design
decisions made by administrators or designers, but they aren’t typically visible to users.
CER and ERR are the same and are the point where FAR and FRR meet. Reference profile
requirements are a system requirement, not a user requirement.
Service Provisioning Markup Language, or SPML, is an XML-based language
designed to allow platforms to generate and respond to provisioning requests. SAML is
used to make authorization and authentication data, while XACML is used to describe
access controls. SOAP, or Simple Object Access Protocol, is a messaging protocol and
could be used for any XML messaging but is not a markup language itself
Port 636 is the default port for LDAP-S, which provides LDAP over SSL or TLS, thus
indicating that the server supports encrypted connections. Since neither port 3268 nor
3269 is mentioned, we do not know if the server provides support for a global catalog
The X.500 series of standards covers directory services. Kerberos is described in RFCs;
biometric systems are covered by a variety of standards, including ISO standards; and
provisioning standards include SCIM, SPML, and others.
SCIM - System for Cross-domain Identity Management
X.500 - Directory Services
X.509 - Digital Certificates
Active Directory Domain Services is based on LDAP, the Lightweight Directory Access
Protocol. Active Directory also uses Kerberos for authentication
Biometric Errors are of two types:
Type 1 errors occur when a valid subject is not authenticated; if the existing customer
was rejected, it would be a Type 1 error. Type 2 errors occur in biometric systems
when an invalid subject is incorrectly authenticated as a valid user. In this case,
nobody except the actual customer should be validated when fingerprints are scanned.
Firewalls use rule-based access control, or Rule-BAC, in their access control lists
and apply rules created by administrators to all traffic that pass through them. DAC, or
discretionary access control, allows owners to determine who can access objects they
control, while task-based access control lists tasks for users. MAC, or mandatory access
control, uses classifications to determine access
Administrative access controls are procedures and the policies from which they
derive. They are based on regulations, requirements, and the organization’s own policies.
Corrective access controls return an environment to its original status after an issue, while
logical controls are technical access controls that rely on hardware or software to protect
systems and data. Compensating controls are used in addition to or as an alternative to
other controls.
When clients perform a client service authorization, they send a TGT and the ID of
the requested service to the TGS, and the TGS responds with a client-to-server ticket and
session key back to the client if the request is validated
A. Knowledge-based authentication relies on preset questions such as “What is your pet’s
name?” and the answers. It can be susceptible to attacks because of the availability of the
answers on social media or other sites. Dynamic knowledge-based authentication relies
on facts or data that the user already knows that can be used to create questions they can
answer on an as-needed basis (for example, a previous address, or a school they attended).
An access control matrix is a table that lists objects, subjects, and their privileges.
Access control lists focus on objects and which subjects can access them. Capability tables
list subjects and what objects they can access.
OpenID Connect is a RESTful, JSON-based authentication protocol that, when paired
with OAuth, can provide identity verification and basic profile information. SAML is the
Security Assertion Markup Language, Shibboleth is a federated identity solution designed
to allow web-based SSO, and Higgins is an open-source project designed to provide users
with control over the release of their identity information.
Synchronous soft tokens, such as Google Authenticator, use a time-based algorithm
that generates a constantly changing series of codes. Asynchronous tokens typically
require a challenge to be entered on the token to allow it to calculate a response, which
the server compares to the response it expects. Smartcards typically present a certificate
but may have other token capabilities built in. Static tokens are physical devices that can
contain credentials and include smart cards and memory cards
Asynchronous tokens use a challenge/response process in which the system sends a
challenge and the user responds with a PIN and a calculated response to the challenge.
The server performs the same calculations, and if both match, it authenticates the user.
Synchronous tokens use a time-based calculation to generate codes. Smart cards are paired
with readers and don’t need to have challenges entered, and RFID devices are not used for
challenge/response tokens.
The crossover error rate is the point where false acceptance rate and false rejection rate
cross over and is a standard assessment used to compare the accuracy of biometric devices
The Simple Authentication and Security Layer (SASL) for LDAP provides support for a
range of authentication types, including secure methods. Anonymous authentication does
not require or provide security, and simple authentication can be tunneled over SSL or TLS
but does not provide security by itself. S-LDAP is not an LDAP protocol
Allowing the relying party to provide the redirect to the OpenID provider could allow
a phishing attack by directing clients to a fake OpenID provider that can capture valid
credentials. Since the OpenID provider URL is provided by the client, the relying party
cannot select the wrong provider. The relying party never receives the user’s password,
which means that they can’t steal it. Finally, the relying party receives the signed assertion
but does not send one.
Drives in a RAID-5 array are intended to handle failure of a drive. This is an example
of a recovery control, which is used to return operations to normal function after a failure.
Administrative controls are policies and procedures. Compensation controls help cover for
issues with primary controls or improve them. Logical controls are software and hardware
mechanisms used to protect resources and systems
Diameter was designed to provide enhanced, modern features to replace RADIUS.
Diameter provides better reliability and a broad range of improved functionality
RADIUS—including support for additional commands and protocols, replacing UDP traffic
with TCP, and providing for extensible commands
Kerberos relies on properly synchronized time on each end of a connection to function.
If the local system time is more than five minutes out of sync, valid TGTs will be invalid
and the system won’t receive any new tickets
The default ports for SSL/TLS LDAP directory information and global catalog services
are 636 and 3269, respectively. Unsecure LDAP uses 389, and unsecure global directory
services use 3268.
Comments
Post a Comment