CompTIA Security+ Certification SY0-301

CompTIA Security+ Certification SY0-301

Centro Latino, Inc. | Computer Technology Program

CompTIA

Security+

Section 5 –

Access Control &

Identity Management

5.2 – Authentication, Authorization &

Access Control (AAA)

5.2 – AAA

Objectives

5.2 Explain the fundamental concepts and best practices related to authentication,

authorization and access control

 Identification vs. authentication

 Authentication (single factor) and authorization

 Multifactor authentication

 Biometrics

 Tokens

 Common access card

 Personal identification verification card  Smart card  Least privilege  Separation of duties  Single sign on  ACLs  Access control

 Mandatory access control

 Discretionary access control

 Role/rule-based access control

 Implicit deny

 Time of day restrictions

 Trusted OS

 Mandatory vacations

Identification &

Authentication

5.2 – Identification & Authentication



Identification

associates a user with an action

 You know who that was!



Authentication

 Proves a user or process is who it claims to be



The

Access Control Process

 Prove a user is who they say they are

• Validate access (Authorization)

 Prove a user performed an action

• No denial

5.2 – Your Account

 Identifier

 Something unique

 In Windows, every account has

Security Identifier (SID)  Credentials

 The information used to authenticate the user

• Password, smart card, PIN code, etc.



Profile

 Information stored about the user

5.2 – Issuance / Enrollment



Identity Proofing

 Verify subjects when the account is created

 Background checks, records checks



Valid account generation

 Prevent dummy accounts

 Only real people

 Provide controls and oversight



Secure credentials transmission

 Send the password securely

Single-Factor

Authentication

5.2 – Single-Factor

Authentication

 Authentication Factors

 Something you know

• Password, PIN

 Something you have

• Smart card, token  Something you are

5.2 – Often used Factors



Most often something you know

 Such as a password

 The username is not usually something secret

• But it shouldn’t be public



Password / Passphrase

 Letters, numbers, special characters



Personal Identification Number (PIN

)

 Personally Identifiable Information (PII)

• Full name, birth date, address, social security number, favorite sci-fi series about portals powered with superconductive material that create wormholes for one-way travel over large distances

5.2 – Single-Factor

Authentication Challenges



Passwords are easily stolen

 Phising

 Keyloggers



Many passwords are easily guessed

 Password, 123456, abc123, Latino10…



Many passwords are reused

 2011: Compare breaches from Sony and Gawker

5.2 – Single-Factor

5.2 – Password Generators

5.2 – Good Password Practices (1)

 Do not use the same password on multiple accounts.

 The password should contains at least 20 characters, it should consists of both numbers, letters and special symbols.

 Do not use the names of your families, friends or pets.

 Do not use postcodes, house numbers, phone numbers,

birthdates, ID card numbers, social security numbers, etc.

 Do not use the most commonly used English words.

 You should not let your browsers (FireFox, Chrome, Opera, IE, Safari ) or FTP client programs save your passwords, any password saved in the browser can be revealed with a simple click using a script.

 Do not login important accounts with a public computer or a machine of other guys.

5.2 – Good Password Practices (2)

 Do not login important accounts with

HTTP or FTP connections, because the username and password in the message of a HTTP or FTP

connection can be captured easily with a network protocol analyzer like Wireshark, which means that the password can be sniffed or hacked with very little effort. You should use HTTPS or SFTP connections.

 It's a good habit to change

your passwords regularly.

You can manage and encrypt your passwords with password

management software. It's a good idea to add an extra protection to your passwords with the freeware

Multi-Factor

Authentication

5.2 – Multi-Factor Authentication



More than one Factor

5.2 – Things you have



Smart card

 Integrates with devices

 May require a PIN



USB token

 Certificate is on the USB device



Hardware or Software Tokens

5.2 – Multi-Factor Authentication

Solutions

5.2 – Single Sign-On (SSO)

 Authenticate one time  Gain access to everything!  Many different methods  Kerberos Authentication and Authorization  3rd_{-Party options}

 Don’t see this much

in smaller

environments

 How many things do you log into?

5.2 – Single Sign-On (SSO)

with

Kerberos



Authenticate one time

 Lots of backend ticketing



No constant username and password input!

 Save time



Only works with Kerberos

5.2 – Single Sign-On (SSO)

5.2 – SSO for Everything?



Software as a Service (SaaS)

 The cloud is changing the way we use applications



3

rd

_{-Party services are bridging the GAP}

 Lots of options out there



“OneLogin” has a catalog of 1,500+ Applications!

 SSO that includes two-factor authentication

Authorization &

Access Control

5.2 – Access Control



Authorization

 The process of ensuring only authorized rights are exercised.

• Policy enforcement

 The process of determining rights

• Policy definition



How do users receive rights?

 ACLs: Access Control Lists (ACLs)

• Discretionary Access Control (DAC)

• Role-Based Access Control (RBAC)

5.2 – Access Control Models

 Discretionary Access Control (DAC)

 The owner is in full control

 Very flexible

 Very weak security

 Role-Based Access Control (RBAC)

 Administrators provide access based on the role of the user

• Rights are gained implicitly instead of explicitly

 MS-Windows uses “Groups” to provide role-based access control

 Mandatory Access Control (MAC)

 Based on security clearance levels

 Every object gets a label

5.2 –

Other

Access Control Options

 Rule-based access control

 Generic term for the following rules

• Example: Role-based and mandatory access control

 Access is determined through system-enforced rules

• Not users

 Implicit Deny

 Unless otherwise stated, there’s no access of

any kind

 Very commonly used in Firewalls

 Time of Days Restrictions

 Access control changes depending on the time of day

5.2 – Evaluation Assurance Level



Common Criteria for Information Technology

Security Evaluation

 Also called Common Criteria (or CC)

 An international computer security certification standard

• ISO/IEC 15408

 Very common reference for US Federal Government



Evaluation Assurance Level (EAL)

 EAL1 through EAL7



Trusted Operating System

 The operating System is EAL compliant

5.2 – Evaluation Assurance

Levels

5.2 –

COSTS

associated with

5.2 – Evaluation Assurance

Levels

 Commercial operating systems that provide conventional, user-based security features are typically evaluated at

EAL4.

 Examples of such

operating systems

are AIX, HP-UX, FreeBSD, Oracle Linux, Novell NetWare, Solaris, SUSE Linux Enterprise Server 9, SUSE Linux Enterprise Server 10, Red Hat Enterprise Linux 5,

Windows 2000 Service

Pack 3, Windows 2003, Windows XP, Windows

Vista, Windows 7, Windows Server 2008 R2

, and