CompTIA Security+ Certification SY0-301 Centro Latino, Inc. Computer Technology Program Prof: Nestor Uribe, nuribe@centrolatino.org www.centrolatino.org 267 Broadway, Chelsea, MA 02150 Tel. (617) 884-3238 ext. 219 It.centrolatino.org 1
CompTIA Security+ Certification 2
Section 5 Access Control & Identity Management 5.2 Authentication, Authorization & Access Control (AAA) 3
5.2 Explain the fundamental concepts and best practices related to authentication, authorization and access control 5.2 AAA Objectives Identification vs. authentication Authentication (single factor) and authorization Multifactor authentication Biometrics Tokens Common access card Personal identification verification card Smart card Least privilege Separation of duties Single sign on ACLs Access control Mandatory access control Discretionary access control Role/rule-based access control Implicit deny Time of day restrictions Trusted OS Mandatory vacations Job rotation 4
Identification & Authentication 5
5.2 Identification & Authentication Identification associates a user with an action You know who that was! Authentication Proves a user or process is who it claims to be The Access Control Process Prove a user is who they say they are Validate access (Authorization) Prove a user performed an action No denial (Non-Repudiation / There is no way to deny it was you login in!) 6
5.2 Your Account Identifier Something unique In Windows, every account has Security Identifier (SID) Credentials The information used to authenticate the user Password, smart card, PIN code, etc. Profile Information stored about the user Name, contact information, group memberships, etc. 7
5.2 Issuance / Enrollment Identity Proofing Verify subjects when the account is created Background checks, records checks Valid account generation Prevent dummy accounts Only real people Provide controls and oversight Secure credentials transmission Send the password securely New passwords can be easily exploited 8
Single-Factor Authentication 9
Authentication Factors Something you know Password, PIN Something you have Smart card, token Something you are Fingerprint, IRIS scan 5.2 Single-Factor Authentication 10
5.2 Often used Factors Most often something you know Such as a password The username is not usually something secret But it shouldn t be public Password / Passphrase Letters, numbers, special characters Personal Identification Number (PIN) Personally Identifiable Information (PII) Full name, birth date, address, social security number, favorite sci-fi series about portals powered with superconductive material that create wormholes for one-way travel over large distances 11
5.2 Single-Factor Authentication Challenges Passwords are easily stolen Phising Keyloggers Many passwords are easily guessed Password, 123456, abc123, Latino10 Many passwords are reused 2011: Compare breaches from Sony and Gawker 88 emails identical, 92% had the same password 12
5.2 Single-Factor Authentication Challenges 13
5.2 Password Generators http://passwordsgenerator.net/ 14
5.2 Good Password Practices (1) Do not use the same password on multiple accounts. The password should contains at least 20 characters, it should consists of both numbers, letters and special symbols. Do not use the names of your families, friends or pets. Do not use postcodes, house numbers, phone numbers, birthdates, ID card numbers, social security numbers, etc. Do not use the most commonly used English words. You should not let your browsers (FireFox, Chrome, Opera, IE, Safari ) or FTP client programs save your passwords, any password saved in the browser can be revealed with a simple click using a script. Do not login important accounts with a public computer or a machine of other guys. 15
5.2 Good Password Practices (2) Do not login important accounts with HTTP or FTP connections, because the username and password in the message of a HTTP or FTP connection can be captured easily with a network protocol analyzer like Wireshark, which means that the password can be sniffed or hacked with very little effort. You should use HTTPS or SFTP connections. It's a good habit to change your passwords regularly. You can manage and encrypt your passwords with password management software. It's a good idea to add an extra protection to your passwords with the freeware ipassword Generator. http://passwordsgenerator.net/ipassword/ 16
Multi-Factor Authentication 17
5.2 Multi-Factor Authentication More than one Factor Something you know, Something you have, Something you are 18
5.2 Things you have Smart card Integrates with devices May require a PIN USB token Certificate is on the USB device Hardware or Software Tokens Generates pseudo-random Authentication Codes 19
5.2 Multi-Factor Authentication Solutions 20
Single Sign-On (SSO) 21
5.2 Single Sign-On (SSO) Authenticate one time Gain access to everything! Many different methods Kerberos Authentication and Authorization 3 rd -Party options Don t see this much in smaller environments How many things do you log into? The cloud is changing this! 22
5.2 Single Sign-On (SSO) with Kerberos Authenticate one time Lots of backend ticketing No constant username and password input! Save time Only works with Kerberos Not everything is Kerberos-Friendly 23
5.2 Single Sign-On (SSO) with Kerberos 24
5.2 SSO for Everything? Software as a Service (SaaS) The cloud is changing the way we use applications 3 rd -Party services are bridging the GAP Lots of options out there OneLogin has a catalog of 1,500+ Applications! SSO that includes two-factor authentication www.onelogin.com 25
5.2 SSO for Everything? 26
Authorization & Access Control 27
5.2 Access Control Authorization The process of ensuring only authorized rights are exercised. Policy enforcement The process of determining rights Policy definition How do users receive rights? ACLs: Access Control Lists (ACLs) Discretionary Access Control (DAC) Role-Based Access Control (RBAC) Mandatory Access Control (MAC) 28
5.2 Access Control Models Discretionary Access Control (DAC) The owner is in full control Very flexible Very weak security Role-Based Access Control (RBAC) Administrators provide access based on the role of the user Rights are gained implicitly instead of explicitly MS-Windows uses Groups to provide role-based access control Mandatory Access Control (MAC) Based on security clearance levels Every object gets a label Labeling of objects uses predefined rules 29
5.2 Other Access Control Options Rule-based access control Generic term for the following rules Example: Role-based and mandatory access control Access is determined through system-enforced rules Not users Implicit Deny Unless otherwise stated, there s no access of any kind Very commonly used in Firewalls Time of Days Restrictions Access control changes depending on the time of day Different rights during the day vs. at night 30
5.2 Access Control http://www.brocade.com/support/product_manuals/serveriron_secuirtyguide/acls.3.10.html 31
Trusted OS 32
5.2 Evaluation Assurance Level Common Criteria for Information Technology Security Evaluation Also called Common Criteria (or CC) An international computer security certification standard ISO/IEC 15408 Very common reference for US Federal Government Evaluation Assurance Level (EAL) EAL1 through EAL7 Trusted Operating System The operating System is EAL compliant EAL4 is the most accepted minimum level 33
5.2 Evaluation Assurance Levels http://en.wikipedia.org/wiki/evaluation_assurance_level 34
5.2 COSTS associated with Evaluation Assurance Levels www.gao.gov (U.S. Government Accountability Office) http://www.gao.gov/assets/250/249422.pdf 35
5.2 Evaluation Assurance Levels Commercial operating systems that provide conventional, user-based security features are typically evaluated at EAL4. Examples of such operating systems are AIX, HP-UX, FreeBSD, Oracle Linux, Novell NetWare, Solaris, SUSE Linux Enterprise Server 9, SUSE Linux Enterprise Server 10, Red Hat Enterprise Linux 5, Windows 2000 Service Pack 3, Windows 2003, Windows XP, Windows Vista, Windows 7, Windows Server 2008 R2, and VM version 5.3. 36