CompTIA Security+ Certification SY0-301

Transcription

1 CompTIA Security+ Certification SY0-301 Centro Latino, Inc. Computer Technology Program Prof: Nestor Uribe, Broadway, Chelsea, MA Tel. (617) ext. 219 It.centrolatino.org 1

2 CompTIA Security+ Certification 2

3 Section 5 Access Control & Identity Management 5.2 Authentication, Authorization & Access Control (AAA) 3

4 5.2 Explain the fundamental concepts and best practices related to authentication, authorization and access control 5.2 AAA Objectives Identification vs. authentication Authentication (single factor) and authorization Multifactor authentication Biometrics Tokens Common access card Personal identification verification card Smart card Least privilege Separation of duties Single sign on ACLs Access control Mandatory access control Discretionary access control Role/rule-based access control Implicit deny Time of day restrictions Trusted OS Mandatory vacations Job rotation 4

5 Identification & Authentication 5

6 5.2 Identification & Authentication Identification associates a user with an action You know who that was! Authentication Proves a user or process is who it claims to be The Access Control Process Prove a user is who they say they are Validate access (Authorization) Prove a user performed an action No denial (Non-Repudiation / There is no way to deny it was you login in!) 6

7 5.2 Your Account Identifier Something unique In Windows, every account has Security Identifier (SID) Credentials The information used to authenticate the user Password, smart card, PIN code, etc. Profile Information stored about the user Name, contact information, group memberships, etc. 7

8 5.2 Issuance / Enrollment Identity Proofing Verify subjects when the account is created Background checks, records checks Valid account generation Prevent dummy accounts Only real people Provide controls and oversight Secure credentials transmission Send the password securely New passwords can be easily exploited 8

9 Single-Factor Authentication 9

10 Authentication Factors Something you know Password, PIN Something you have Smart card, token Something you are Fingerprint, IRIS scan 5.2 Single-Factor Authentication 10

11 5.2 Often used Factors Most often something you know Such as a password The username is not usually something secret But it shouldn t be public Password / Passphrase Letters, numbers, special characters Personal Identification Number (PIN) Personally Identifiable Information (PII) Full name, birth date, address, social security number, favorite sci-fi series about portals powered with superconductive material that create wormholes for one-way travel over large distances 11

12 5.2 Single-Factor Authentication Challenges Passwords are easily stolen Phising Keyloggers Many passwords are easily guessed Password, , abc123, Latino10 Many passwords are reused 2011: Compare breaches from Sony and Gawker 88 s identical, 92% had the same password 12

13 5.2 Single-Factor Authentication Challenges 13

14 5.2 Password Generators 14

15 5.2 Good Password Practices (1) Do not use the same password on multiple accounts. The password should contains at least 20 characters, it should consists of both numbers, letters and special symbols. Do not use the names of your families, friends or pets. Do not use postcodes, house numbers, phone numbers, birthdates, ID card numbers, social security numbers, etc. Do not use the most commonly used English words. You should not let your browsers (FireFox, Chrome, Opera, IE, Safari ) or FTP client programs save your passwords, any password saved in the browser can be revealed with a simple click using a script. Do not login important accounts with a public computer or a machine of other guys. 15

16 5.2 Good Password Practices (2) Do not login important accounts with HTTP or FTP connections, because the username and password in the message of a HTTP or FTP connection can be captured easily with a network protocol analyzer like Wireshark, which means that the password can be sniffed or hacked with very little effort. You should use HTTPS or SFTP connections. It's a good habit to change your passwords regularly. You can manage and encrypt your passwords with password management software. It's a good idea to add an extra protection to your passwords with the freeware ipassword Generator. 16

17 Multi-Factor Authentication 17

18 5.2 Multi-Factor Authentication More than one Factor Something you know, Something you have, Something you are 18

19 5.2 Things you have Smart card Integrates with devices May require a PIN USB token Certificate is on the USB device Hardware or Software Tokens Generates pseudo-random Authentication Codes 19

20 5.2 Multi-Factor Authentication Solutions 20

21 Single Sign-On (SSO) 21

22 5.2 Single Sign-On (SSO) Authenticate one time Gain access to everything! Many different methods Kerberos Authentication and Authorization 3 rd -Party options Don t see this much in smaller environments How many things do you log into? The cloud is changing this! 22

23 5.2 Single Sign-On (SSO) with Kerberos Authenticate one time Lots of backend ticketing No constant username and password input! Save time Only works with Kerberos Not everything is Kerberos-Friendly 23

24 5.2 Single Sign-On (SSO) with Kerberos 24

25 5.2 SSO for Everything? Software as a Service (SaaS) The cloud is changing the way we use applications 3 rd -Party services are bridging the GAP Lots of options out there OneLogin has a catalog of 1,500+ Applications! SSO that includes two-factor authentication 25

26 5.2 SSO for Everything? 26

27 Authorization & Access Control 27

28 5.2 Access Control Authorization The process of ensuring only authorized rights are exercised. Policy enforcement The process of determining rights Policy definition How do users receive rights? ACLs: Access Control Lists (ACLs) Discretionary Access Control (DAC) Role-Based Access Control (RBAC) Mandatory Access Control (MAC) 28

29 5.2 Access Control Models Discretionary Access Control (DAC) The owner is in full control Very flexible Very weak security Role-Based Access Control (RBAC) Administrators provide access based on the role of the user Rights are gained implicitly instead of explicitly MS-Windows uses Groups to provide role-based access control Mandatory Access Control (MAC) Based on security clearance levels Every object gets a label Labeling of objects uses predefined rules 29

30 5.2 Other Access Control Options Rule-based access control Generic term for the following rules Example: Role-based and mandatory access control Access is determined through system-enforced rules Not users Implicit Deny Unless otherwise stated, there s no access of any kind Very commonly used in Firewalls Time of Days Restrictions Access control changes depending on the time of day Different rights during the day vs. at night 30

31 5.2 Access Control 31

32 Trusted OS 32

33 5.2 Evaluation Assurance Level Common Criteria for Information Technology Security Evaluation Also called Common Criteria (or CC) An international computer security certification standard ISO/IEC Very common reference for US Federal Government Evaluation Assurance Level (EAL) EAL1 through EAL7 Trusted Operating System The operating System is EAL compliant EAL4 is the most accepted minimum level 33

34 5.2 Evaluation Assurance Levels 34

35 5.2 COSTS associated with Evaluation Assurance Levels (U.S. Government Accountability Office) 35

36 5.2 Evaluation Assurance Levels Commercial operating systems that provide conventional, user-based security features are typically evaluated at EAL4. Examples of such operating systems are AIX, HP-UX, FreeBSD, Oracle Linux, Novell NetWare, Solaris, SUSE Linux Enterprise Server 9, SUSE Linux Enterprise Server 10, Red Hat Enterprise Linux 5, Windows 2000 Service Pack 3, Windows 2003, Windows XP, Windows Vista, Windows 7, Windows Server 2008 R2, and VM version